cvedb.io
CVE-2025-66411
HIGH · CVSS 7.8
EPSS exploitation probability: 0%
Published 2025-12-03T20:16:26.727 · Last modified 2026-06-17T09:56:47.553

Summary

Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4.

Affected products

coder — coder

Does this affect you?

Add your gear to cvedb and we'll alert you only when coder ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.