github.com/coder/coder/v2

CVE-2026-44454

CVE-2026-44454 is a high-severity OS command injection vulnerability in github.com/coder/coder/v2 (go), affecting versions < 2.29.7. It is fixed in 2.29.7, 2.30.2.

Key facts
CVSS score
8.1
High
Attack vector
Network
Issuing authority
GitHub Advisory Database
Affected package
github.com/coder/coder/v2
Fixed in
2.29.7, 2.30.2
Disclosed
2026

Summary

Command injection via dotfiles URI parameter combined with workspace auto-creation Summary The dotfiles registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafted dotfilesuri value (for example, one containing shell command substitution such as $(...)) could achieve command execution in their own workspace. The Create Workspace page's mode=auto deep links amplified this into a one-click attack: an attacker could craft a URL that prefilled param.dotfilesuri and silently provisioned a workspace with the attacker-controlled value, with no explicit user confirmation. Details Command injection in the dotfiles module (root cause) The dotfiles module interpolated the user-provided dotfilesuri value directly into a shell script and executed it without input validation. Because the value was expanded by the shell, payloads using command substitution ($(...)), command separators (;, |, &&), or backticks were interpreted before the coder dotfiles CLI was invoked. The Coder CLI itself uses exec.CommandContext() with an argument array and is not vulnerable; the injection occurred earlier, during shell expansion inside the module. As a result, a user who entered a crafted dotfilesuri obtained arbitrary code execution in their workspace, even without mode=auto. Auto-creation amplification (mode=auto) The Create Workspace page supported a mode=auto query parameter that, combined with param. URL parameters, automatically created a workspace on page load without displaying a confirmation prompt. An attacker could craft a malicious URL pointing to a victim's Coder deployment and set arbitrary template parameter values (for example, param.dotfiles_uri). When an authenticated user clicked the link, the workspace was created immediately with the attacker-supplied parameters, turning the command injection above into a one-click, no-consent attack. Example URL: Impact Arbitrary code execution inside the victim's workspace. Depending on the workspace's privileges, this may expose Git credentials, secrets, and workspace files, and can provide a foothold for lateral movement. With mode=auto, exploitation required only that an authenticated user click an attacker-supplied link to a template that uses the dotfiles module. Patches coder/registry (primary fix) Input validation was added to the dotfiles module to reject URIs and usernames containing special characters, and the unsafe eval/sh -c usage was removed. This eliminates the command injection at its source. https://github.com/coder/registry/pull/703 coder/coder (defense-in-depth) A consent dialog was added that displays all prefilled param. values and blocks creation until the user explicitly clicks Confirm and Create. This removes the mode=auto one-click amplification vector. Fix commit: https://github.com/coder/coder/commit/60e3ab7632f42415d283b9fd5622ee53a4639ceb (PR #22011) Patched releases: v2.29.7 (ESR) v2.30.2 (mainline) Recognition We'd like to thank Aviv Donenfeld for responsibly disclosing this issue in accordance with https://coder.com/security/policy

Impact

What is OS command injection?

Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.

Severity and exposure

CVE-2026-44454 has a CVSS score of 8.1 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.

A fixed version is available (2.29.7, 2.30.2). Upgrading removes the vulnerable code path.

Affected versions

go

  • github.com/coder/coder/v2 (< 2.29.7)
  • github.com/coder/coder/v2 (>= 2.30.0, < 2.30.2)
  • github.com/coder/coder (<= 0.27.3)

Security releases

  • github.com/coder/coder/v2 → 2.29.7 (go)
  • github.com/coder/coder/v2 → 2.30.2 (go)
Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.

Kodem's Application Detection and Response identifies whether CVE-2026-44454 is reachable in your applications. Explore runtime application protection for your team.

See if CVE-2026-44454 is reachable in your applications. Get a demo

Already deployed Kodem? See CVE-2026-44454 in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

  • Upgrade github.com/coder/coder/v2 to 2.29.7 or later
  • Upgrade github.com/coder/coder/v2 to 2.30.2 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently asked questions about CVE-2026-44454

What is CVE-2026-44454?

CVE-2026-44454 is a high-severity OS command injection vulnerability in github.com/coder/coder/v2 (go), affecting versions < 2.29.7. It is fixed in 2.29.7, 2.30.2. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.

How severe is CVE-2026-44454?

CVE-2026-44454 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.

Which packages are affected by CVE-2026-44454?
  • github.com/coder/coder/v2 (go) (versions < 2.29.7)
  • github.com/coder/coder (go) (versions <= 0.27.3)
Is there a fix for CVE-2026-44454?

Yes. CVE-2026-44454 is fixed in 2.29.7, 2.30.2. Upgrade to this version or later.

Is CVE-2026-44454 exploitable, and should I be worried?

Whether CVE-2026-44454 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo

What actually determines whether CVE-2026-44454 is exploitable, and how bad it is?

Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.

How do I fix CVE-2026-44454?
  • Upgrade github.com/coder/coder/v2 to 2.29.7 or later
  • Upgrade github.com/coder/coder/v2 to 2.30.2 or later

Stop the waste.
Protect your environment with Kodem.