EXECUTIVE SUMMARY:
CVE-2026-44454 with a CVSS score of 8.1 is a command‑injection flaw in Coder’s dotfiles registry module that affects the go/github.com/coder/coder/v2 package for versions earlier than 2.29.7, versions 2.30.0 through 2.30.1, and the go/github.com/coder/coder package up to 0.27.3. The vulnerability arises because the module interpolates the user‑provided dotfiles_uri parameter directly into a shell command without sanitisation, allowing payloads such as $(…) or ; to be executed during workspace provisioning. An attacker can exploit this by crafting a deep‑link URL that includes mode=auto and a malicious param.dotfiles_uri value; when an authenticated user clicks the link, the workspace is created automatically with the attacker‑controlled URI, triggering the injection and granting arbitrary code execution inside the newly created workspace. The attacker thereby gains the ability to run commands with the workspace’s privileges, potentially exfiltrating Git credentials, secrets, or files and establishing a foothold for lateral movement. Exploitation requires only that the victim be logged in, that the targeted template uses the dotfiles module, and that the mode=auto parameter is not disabled, making the attack low‑effort but high‑impact.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44454 with a CVSS score of 8.1 is a command‑injection flaw in Coder’s dotfiles registry module that affects the go/github.com/coder/coder/v2 package for versions earlier than 2.29.7, versions 2.30.0 through 2.30.1, and the go/github.com/coder/coder package up to 0.27.3. The vulnerability arises because the module interpolates the user‑provided dotfiles_uri parameter directly into a shell command without sanitisation, allowing payloads such as $(…) or ; to be executed during workspace provisioning. An attacker can exploit this by crafting a deep‑link URL that includes mode=auto and a malicious param.dotfiles_uri value; when an authenticated user clicks the link, the workspace is created automatically with the attacker‑controlled URI, triggering the injection and granting arbitrary code execution inside the newly created workspace. The attacker thereby gains the ability to run commands with the workspace’s privileges, potentially exfiltrating Git credentials, secrets, or files and establishing a foothold for lateral movement. Exploitation requires only that the victim be logged in, that the targeted template uses the dotfiles module, and that the mode=auto parameter is not disabled, making the attack low‑effort but high‑impact.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-m3cr-vc2j-pm27