VDB
KO

GO-2026-5924

Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder

Details

Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/coder/coder
Introduced in: 0

No fixed version published yet for github.com/coder/coder (go modules). Pin to a known-safe version or switch to an alternative.

Go / github.com/coder/coder/v2
Introduced in: 0 Fixed in: 2.29.17
Fix go get github.com/coder/coder/v2@v2.29.17

References