VDB
KO

GO-2026-5897

Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder

Details

Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/coder/coder
Introduced in: 0

No fixed version published yet for github.com/coder/coder (go modules). Pin to a known-safe version or switch to an alternative.

Go / github.com/coder/coder/v2
Introduced in: 0 Fixed in: 2.29.7
Fix go get github.com/coder/coder/v2@v2.29.7

References