Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers
Package
Affected versions
>= 2.34.0, < 2.34.2
>= 2.33.0, < 2.33.8
>= 2.30.0, < 2.32.7
< 2.29.17
Patched versions
2.34.2
2.33.8
2.32.7
2.29.17
Description
Published to the GitHub Advisory Database
Jul 6, 2026
Reviewed
Jul 6, 2026
Last updated
Jul 6, 2026
Summary
The devcontainer recreate endpoint relied on route middleware that checked only
ActionReadon the workspace and, unlike the sibling delete endpoint, performed noActionUpdatecheck before triggering the destructive rebuild.Impact
Any authenticated principal with read-only workspace access, such as a Template Admin or Org Template Admin, could recreate a devcontainer, destroying uncommitted in-container state and, if called repeatedly, denying service. This is an authorization bypass leading to data loss and denial of service.
Patches
The fix adds an explicit
ActionUpdateauthorization check before the agent is dialed like the delete endpoint.The fix was backported to all supported release lines:
Workarounds
None.
Resources
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22454) for independently disclosing this issue!
References