Coder logged sensitive objects unsanitized
Description
Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Coder prior to versions 2.26.5, 2.27.7, and 2.28.4 logs Workspace Agent manifests with sensitive values in plaintext, allowing local attackers to access them.
Vulnerability
Description Coder, a self-hosted platform for cloud development environments, uses Terraform to define workspaces. In versions prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext without sanitization [1]. This means any secrets embedded in the manifests—such as API tokens, credentials, or environment variables—were written to logs in an unredacted form.
Exploitation
Prerequisites An attacker with limited local access to a Coder workspace (e.g., via a compromised VM or Kubernetes pod) or to a third-party logging system (SIEM, centralized log stack) could retrieve these logs. No special network position or elevated privileges are required beyond the ability to read the log files [1]. This makes the attack surface broad, encompassing both direct workspace access and indirect access through log aggregation platforms.
Impact and
Mitigation A successful attacker could extract sensitive values from the logs, potentially leading to unauthorized access to external services, credential theft, or privilege escalation within the Coder environment. The issue is fully addressed in Coder versions 2.26.5, 2.27.7, and 2.28.4 [2][3]. Users are strongly recommended to upgrade to one of these fixed versions. The Coder project has also made the source code available on GitHub [4] for review and self-hosted deployment.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/coder/coder/v2Go | < 2.26.5 | 2.26.5 |
github.com/coder/coder/v2Go | >= 2.27.0, < 2.27.7 | 2.27.7 |
github.com/coder/coder/v2Go | >= 2.28.0, < 2.28.4 | 2.28.4 |
Affected products
2- coder/coderv5Range: >= 2.28.0, < 2.28.4
Patches
3e2a46393fce4fix: remove a sensitive field from an agent log line (#20968) (#20972)
1 file changed · +1 −1
agent/agent.go+1 −1 modified@@ -1087,7 +1087,7 @@ func (a *agent) handleManifest(manifestOK *checkpoint) func(ctx context.Context, if err != nil { return xerrors.Errorf("fetch metadata: %w", err) } - a.logger.Info(ctx, "fetched manifest", slog.F("manifest", mp)) + a.logger.Info(ctx, "fetched manifest") manifest, err := agentsdk.ManifestFromProto(mp) if err != nil { a.logger.Critical(ctx, "failed to convert manifest", slog.F("manifest", mp), slog.Error(err))
06c6abbe0935fix: remove a sensitive field from an agent log line (#20968) (#20971)
1 file changed · +1 −1
agent/agent.go+1 −1 modified@@ -1076,7 +1076,7 @@ func (a *agent) handleManifest(manifestOK *checkpoint) func(ctx context.Context, if err != nil { return xerrors.Errorf("fetch metadata: %w", err) } - a.logger.Info(ctx, "fetched manifest", slog.F("manifest", mp)) + a.logger.Info(ctx, "fetched manifest") manifest, err := agentsdk.ManifestFromProto(mp) if err != nil { a.logger.Critical(ctx, "failed to convert manifest", slog.F("manifest", mp), slog.Error(err))
a75205a55921fix: remove a sensitive field from an agent log line (#20968) (#20970)
1 file changed · +1 −1
agent/agent.go+1 −1 modified@@ -1097,7 +1097,7 @@ func (a *agent) handleManifest(manifestOK *checkpoint) func(ctx context.Context, if err != nil { return xerrors.Errorf("fetch metadata: %w", err) } - a.logger.Info(ctx, "fetched manifest", slog.F("manifest", mp)) + a.logger.Info(ctx, "fetched manifest") manifest, err := agentsdk.ManifestFromProto(mp) if err != nil { a.logger.Critical(ctx, "failed to convert manifest", slog.F("manifest", mp), slog.Error(err))
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-jf75-p25m-pw74ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66411ghsaADVISORY
- github.com/coder/coder/commit/06c6abbe0935f9213c1588add60a396da5762e1cghsaWEB
- github.com/coder/coder/commit/a75205a559211c8aa494b1a16750d114b263f24aghsaWEB
- github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289ghsax_refsource_MISCWEB
- github.com/coder/coder/pull/20968ghsaWEB
- github.com/coder/coder/releases/tag/v2.26.5ghsax_refsource_MISCWEB
- github.com/coder/coder/releases/tag/v2.27.7ghsax_refsource_MISCWEB
- github.com/coder/coder/releases/tag/v2.28.4ghsax_refsource_MISCWEB
- github.com/coder/coder/security/advisories/GHSA-jf75-p25m-pw74ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.