coder

v2.33.7 Security

This release includes 5 security fixes for security teams reviewing exposed deployments.

Published 4d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 5 known CVEs

Topics

agents dev-tools development-environment go ide jetbrains

+3 more

remote-development terraform vscode

Affected surfaces

deps rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 4d

The v2.33.7 release mandates upgrading go‑git, golang.org/x/net, and the Go runtime to address critical CVEs (CVE-2026-45570, CVE-2026-45571, five additional CVEs, CVE-2026-27145, CVE-2026-42507).

Why it matters: All deployments using go‑git, golang.org/x/net, or Go <1.25.11 must upgrade immediately to mitigate high‑severity vulnerabilities (CVSS scores implied by severity 95) before attackers can exploit them.

Summary

AI summary

Updates Bug fixes, Container image, and @ssncferreira across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Upgrade go-git to v5.19.1 (CVE-2026-45570, CVE-2026-45571) Upgrade go-git to v5.19.1 (CVE-2026-45570, CVE-2026-45571) Source: llm_adapter@2026-06-08 Confidence: high	—
Security	Critical	Upgrade golang.org/x/net to v0.55.0 (5 CVEs) Upgrade golang.org/x/net to v0.55.0 (5 CVEs) Source: llm_adapter@2026-06-08 Confidence: high	—
Security	Critical	Upgrade Go runtime to 1.25.11 (CVE-2026-27145, CVE-2026-42507) Upgrade Go runtime to 1.25.11 (CVE-2026-27145, CVE-2026-42507) Source: llm_adapter@2026-06-08 Confidence: high	—
Feature	Medium	Exclude service accounts from license seat count Exclude service accounts from license seat count Source: llm_adapter@2026-06-08 Confidence: high	—
Bugfix	Medium	Strip proxy headers from bridge requests to fix Bedrock SigV4 signing Strip proxy headers from bridge requests to fix Bedrock SigV4 signing Source: llm_adapter@2026-06-08 Confidence: high	—

Full changelog

Stable (since June 08, 2026)

Changelog

Bug fixes

Upgrade go-git to v5.19.1 (CVE-2026-45570, CVE-2026-45571) (#25773, 5e7395090d)
Upgrade golang.org/x/net to v0.55.0 (5 CVEs) (backport 2.33) (#25774, 921d03741f)
Upgrade Go to 1.25.11 (CVE-2026-27145, CVE-2026-42507) (#26065, 757e570093)
fix(aibridge): strip proxy headers from bridge requests to fix Bedrock SigV4 signing (#26019, 056a7e4e7e) (@ssncferreira)
Exclude service accounts from license seat count (#24401, ce8724ee16)

Documentation

Update the architecture diagrams (#25816, 332c36506d)
Fix broken references and add users oidc-claims to manifest (#25706, 54d2dcafb6)

Compare: v2.33.6...v2.33.7

Container image

docker pull ghcr.io/coder/coder:2.33.7

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

Security Fixes

CVE-2026-45570 — go‑git vulnerability
CVE-2026-45571 — go‑git vulnerability
CVE-2026-27145 — Go runtime vulnerability
CVE-2026-42507 — Go runtime vulnerability
5 CVEs addressed by upgrading golang.org/x/net to v0.55.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track coder

Get notified when new releases ship.

About coder

Secure environments for developers and their agents

All releases →

Related context

Related tools

Related CVEs

CVE-2026-27145 NVD KEV EPSS
CVE-2026-42507 NVD KEV EPSS
CVE-2026-45570 NVD KEV EPSS
CVE-2026-45571 NVD KEV EPSS

Earlier breaking changes

v2.29.17 Validate HostnameSuffix and SSHConfigOptions
v2.29.17 Reject OIDC login when email_verified claim is non-bool or absent
v2.29.17 Restrict OIDC email fallback to first-time account linking
v2.29.17 Only trust x-forwarded-host from configured trusted proxies