coder

v2.32.2 Security

This release patches 2 CVEs for security teams tracking exposure across their dependency inventory.

Published 21d Developer Productivity

View tool

2 patched CVEs

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs GHSA-686c-7vgv-v3fx GHSA-6x44-w3xg-hqqf

2 CVEs patched

Topics

agents dev-tools development-environment go ide jetbrains

+3 more

remote-development terraform vscode

Affected surfaces

deps

ReleasePort's take

Moderate signal

editorial:auto 13d

Release v2.32.2 patches CVE-2026-33814 in golang.org/x/net and several other security fixes.

Why it matters: Patch to v2.32.2 immediately to remediate CVE-2026-33814 (CVSS 7.5) affecting the network library.

Summary

AI summary

Fixed CVE-2026-33814 in golang.org/x/net and other security-related updates.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	PKCS7 signature verification added for Azure tokens PKCS7 signature verification added for Azure tokens Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Azure identity certificate fetch hardened Azure identity certificate fetch hardened Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Content Security Policy frame-ancestors fixes backported Content Security Policy frame-ancestors fixes backported Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	golang.org/x/net updated to v0.53.0 fixing CVE-2026-33814 golang.org/x/net updated to v0.53.0 fixing CVE-2026-33814 Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	container base image updated to UBI9 fixing CVE-2026-44431 container base image updated to UBI9 fixing CVE-2026-44431 Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	OpenTelemetry SDK upgraded fixing CVE-2026-39883 OpenTelemetry SDK upgraded fixing CVE-2026-39883 Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	gomarkdown updated fixing GHSA-77fj-vx54-gvh7 gomarkdown updated fixing GHSA-77fj-vx54-gvh7 Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Low	CSP frame‑ancestors header fixes backported to 2.32 branch CSP frame‑ancestors header fixes backported to 2.32 branch Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Dependency	Medium	go-git dependency updated from 5.18.0 to 5.19.0 go-git dependency updated from 5.18.0 to 5.19.0 Source: llm_adapter@2026-05-21 Confidence: high	—
Dependency	Medium	Go toolchain upgraded from 1.25.9 to 1.25.10 Go toolchain upgraded from 1.25.9 to 1.25.10 Source: llm_adapter@2026-05-21 Confidence: high	—
Refactor	Medium	pagination tests moved from vitest to storybook pagination tests moved from vitest to storybook Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Stable (since May 13, 2026)

Changelog

Bug fixes

Bump golang.org/x/net to v0.53.0 (CVE-2026-33814) (#25224, 561e42df11)
fix(go.mod): bump gomarkdown to fix GHSA-77fj-vx54-gvh7 (v2.32) (#25225, a7e6c6ed3d)
Cherry-pick OTel SDK v1.43.0 for CVE-2026-39883 (v2.32.x) (#25227, be2cd7aef8)
Bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 (#25240, bbe028604a)
Dashboard: Move pagination test from vitest to storybook story (#24165, da939aa4b2)
Upgrade Go toolchain from 1.25.9 to 1.25.10 (#25228, 315e800cb2)
fix(scripts/ironbank): update base image to UBI9 and remove urllib3 (CVE-2026-44431) (#25249, d944b92a99)
Server: Harden Azure identity certificate fetch (cherry-pick v2.32) (#25277, 25219f30b1)
Verify PKCS7 signature on Azure instance identity tokens (backport 2.32) (#25303, d6e9344e03)
Server: Backport frame-ancestors CSP fixes to 2.32 (#24474, #24529) (#24806, 5f343bc337)

Compare: v2.32.1...v2.32.2

Container image

docker pull ghcr.io/coder/coder:2.32.2

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

Security Fixes

CVE-2026-33814 — vulnerability in golang.org/x/net v0.53.0
GHSA-77fj-vx54-gvh7 — vulnerability fixed by bumping gomarkdown to v2.32
CVE-2026-39883 — vulnerability addressed by cherry‑picking OTel SDK v1.43.0
CVE-2026-44431 — vulnerability mitigated by updating ironbank base image (UBI9) and removing urllib3

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track coder

Get notified when new releases ship.

About coder

Secure environments for developers and their agents

All releases →

Related context

Related tools

Related CVEs

CVE-2026-33814 NVD KEV EPSS
CVE-2026-39883 NVD KEV EPSS
CVE-2026-44431 NVD KEV EPSS
GHSA-686C-7VGV-V3FX NVD KEV EPSS
GHSA-6X44-W3XG-HQQF NVD KEV EPSS