Summary
The CreateSubAgent RPC did not validate a requested app sharing level against the template's MaxPortSharingLevel before persisting workspace apps, letting a workspace owner exceed the administrator's configured maximum.
Note: Exploitation requires the ability to register sub-agent apps in a workspace the attacker controls.
Impact
A workspace owner with an agent token could register a sub-agent app as PUBLIC even when the template's MaxPortSharingLevel was owner, exposing the app to unauthenticated users via the wildcard app domain. This affected only deployments using Enterprise port-sharing policy and wildcard app hostnames and required an authenticated workspace owner with an agent token.
Patches
The fix clamps the sub-agent app sharing level to the template's MaxPortSharingLevel.
The fix was backported to all supported release lines:
Workarounds
Disable wildcard app hostnames (CODER_WILDCARD_ACCESS_URL) to block subdomain-based app routing.
Resources
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22452) for independently disclosing this issue!
References
Summary
The
CreateSubAgentRPC did not validate a requested app sharing level against the template'sMaxPortSharingLevelbefore persisting workspace apps, letting a workspace owner exceed the administrator's configured maximum.Impact
A workspace owner with an agent token could register a sub-agent app as
PUBLICeven when the template'sMaxPortSharingLevelwasowner, exposing the app to unauthenticated users via the wildcard app domain. This affected only deployments using Enterprise port-sharing policy and wildcard app hostnames and required an authenticated workspace owner with an agent token.Patches
The fix clamps the sub-agent app sharing level to the template's
MaxPortSharingLevel.The fix was backported to all supported release lines:
Workarounds
Disable wildcard app hostnames (
CODER_WILDCARD_ACCESS_URL) to block subdomain-based app routing.Resources
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22452) for independently disclosing this issue!
References