CVE-2026-55434 in Coderinfo

Summary

by MITRE • 07/07/2026

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.33.0 and prior to versions 2.33.8 and 2.34.2, AI Bridge provider handlers read request bodies with `io.ReadAll` without a maximum size so an authenticated user with AI Bridge access could send an arbitrarily large body and exhaust memory. Exploitation requires authenticated access to the AI Bridge endpoints and the impact is limited to availability (denial of service). Versions 2.33.8 and 2.34.2 patch the issue. No known workarounds are available.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability resides within the Coder platform's AI Bridge provider handlers where insufficient input validation leads to a memory exhaustion condition. This flaw affects versions 2.33.0 through 2.33.7 and 2.34.0 through 2.34.1, creating a path for authenticated attackers to exploit memory consumption issues through crafted requests. The technical implementation uses io.ReadAll without imposing size restrictions on request bodies, allowing malicious actors to submit arbitrarily large payloads that consume system resources. This design flaw directly violates secure coding practices and represents a classic denial of service vulnerability where resource exhaustion occurs due to inadequate input sanitization.

The operational impact of this vulnerability manifests as a denial of service condition affecting the availability of AI Bridge endpoints within the Coder platform. An authenticated user with access to these endpoints can trigger memory exhaustion by sending oversized request bodies, potentially causing system instability or complete unavailability of the targeted services. The vulnerability exists in the context of remote development environment provisioning where AI Bridge functionality is leveraged for automated operations. This creates a scenario where legitimate users may be unable to access critical AI-powered features while the system struggles with resource allocation.

From a cybersecurity perspective, this vulnerability aligns with CWE-400 which addresses improper input validation and CWE-770 which covers allocation of resources without limits. The attack pattern follows the ATT&CK technique T1499.004 for network denial of service, where adversaries consume system resources to prevent legitimate use of services. The authentication requirement means that this vulnerability operates within a privileged threat model where insiders or compromised accounts pose significant risk. Organizations relying on Coder's AI Bridge functionality face potential operational disruption when attackers exploit this memory exhaustion condition.

The fix implemented in versions 2.33.8 and 2.34.2 addresses the core issue by introducing proper request body size limits to prevent unbounded memory allocation. This represents a defensive coding practice that aligns with secure development lifecycle principles and helps maintain system availability. While no workarounds are available, organizations should prioritize immediate patching of affected systems to prevent potential exploitation. The vulnerability serves as an example of how seemingly simple input handling can create significant security concerns when proper resource management is not implemented. System administrators must monitor for potential exploitation attempts and ensure all instances of the platform are updated to patched versions to maintain service availability and system integrity.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!