Summary
The workspace app proxy resolves the target app from httpapi.RequestHost() which prefers the X-Forwarded-Host header over the real Host header. No middleware strips X-Forwarded-Host before routing and the header is not browser-forbidden so client-side JavaScript can set it on fetch() calls.
Note: Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker's shared app and a deployment whose upstream proxy does not strip X-Forwarded-Host.
Impact
App session cookies are scoped to the wildcard parent domain so the browser attaches them to any app subdomain. An attacker who controls a shared workspace app can serve JavaScript that sends same-site requests with a forged X-Forwarded-Host pointing at a victim's private app. The server routes by the attacker-controlled header but authorizes with the victim's cookie which lets the attacker read the victim's private app responses. Subdomain app routing must be enabled and no upstream proxy may strip X-Forwarded-Host.
Patches
The fix trusts X-Forwarded-Host only from configured trusted proxies and otherwise resolves the routing host from the verified request host.
The fix was backported to all supported release lines:
Workarounds
Place an upstream reverse proxy that strips or overwrites X-Forwarded-Host on untrusted requests.
Resources
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22435) for independently disclosing this issue!
References
Summary
The workspace app proxy resolves the target app from
httpapi.RequestHost()which prefers theX-Forwarded-Hostheader over the realHostheader. No middleware stripsX-Forwarded-Hostbefore routing and the header is not browser-forbidden so client-side JavaScript can set it onfetch()calls.Impact
App session cookies are scoped to the wildcard parent domain so the browser attaches them to any app subdomain. An attacker who controls a shared workspace app can serve JavaScript that sends same-site requests with a forged
X-Forwarded-Hostpointing at a victim's private app. The server routes by the attacker-controlled header but authorizes with the victim's cookie which lets the attacker read the victim's private app responses. Subdomain app routing must be enabled and no upstream proxy may stripX-Forwarded-Host.Patches
The fix trusts
X-Forwarded-Hostonly from configured trusted proxies and otherwise resolves the routing host from the verified request host.The fix was backported to all supported release lines:
Workarounds
Place an upstream reverse proxy that strips or overwrites
X-Forwarded-Hoston untrusted requests.Resources
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22435) for independently disclosing this issue!
References