coder

v2.29.13 Security

This release patches 2 CVEs for security teams tracking exposure across their dependency inventory.

Published 21d Developer Productivity

View tool

2 patched CVEs

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs GHSA-686c-7vgv-v3fx GHSA-6x44-w3xg-hqqf

2 CVEs patched

Topics

agents dev-tools development-environment go ide jetbrains

+3 more

remote-development terraform vscode

Affected surfaces

deps

ReleasePort's take

Light signal

editorial:auto 13d

Release v2.29.13 upgrades multiple dependencies to patch several CVEs and hardens Azure identity handling.

Why it matters: Patch immediately: the release fixes eight CVEs (2026‑39883, 45022, 33186, 34986, 33814, 5160, plus two GHSA issues) and upgrades the Go runtime to 1.25.10; all affected components must be updated.

Summary

AI summary

CVE-2026 security fixes and Go runtime upgrade

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Upgrades OpenTelemetry SDK to v1.43.0 to fix CVE-2026-39883 Upgrades OpenTelemetry SDK to v1.43.0 to fix CVE-2026-39883 Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Upgrades go-git to v5.19.0 to fix CVE-2026-45022 Upgrades go-git to v5.19.0 to fix CVE-2026-45022 Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Upgrades go-jose to v4.1.4 to fix CVE-2026-34986 Upgrades go-jose to v4.1.4 to fix CVE-2026-34986 Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Upgrades jsonparser to v1.1.2 to fix GHSA-6g7g-w4f8-9c9x Upgrades jsonparser to v1.1.2 to fix GHSA-6g7g-w4f8-9c9x Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Upgrades golang.org/x/net to v0.53.0 to fix CVE-2026-33814 Upgrades golang.org/x/net to v0.53.0 to fix CVE-2026-33814 Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Upgrades markdown library to v2.29 to fix GHSA-77fj-vx54-gvh7 Upgrades markdown library to v2.29 to fix GHSA-77fj-vx54-gvh7 Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Upgrades goldmark to v1.7.17 to fix CVE-2026-5160 Upgrades goldmark to v1.7.17 to fix CVE-2026-5160 Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Upgrades Go runtime from 1.25.8 to 1.25.10 Upgrades Go runtime from 1.25.8 to 1.25.10 Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Hardens Azure identity certificate fetch in server Hardens Azure identity certificate fetch in server Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Adds PKCS7 signature verification for Azure instance tokens Adds PKCS7 signature verification for Azure instance tokens Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Upgrades gRPC to v1.79.3 to fix CVE-2026-33186 Upgrades gRPC to v1.79.3 to fix CVE-2026-33186 Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Updates container base image to UBI9 to fix CVE-2026-44431 Updates container base image to UBI9 to fix CVE-2026-44431 Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Upgrades google.golang.org/grpc to v1.79.3 (CVE-2026-33186) Upgrades google.golang.org/grpc to v1.79.3 (CVE-2026-33186) Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Security	Medium	Changes container base image to UBI9 and removes urllib3 (CVE-2026-44431) Changes container base image to UBI9 and removes urllib3 (CVE-2026-44431) Source: granite4.1:30b@2026-05-22-audit Confidence: low	—

Full changelog

Changelog

Bug fixes

Upgrade go.opentelemetry.io/otel/sdk to v1.43.0 (CVE-2026-39883) (#25254, c0f52b1697)
fix(deps): upgrade go-git/go-git/v5 to v5.19.0 (CVE-2026-45022) (#25256, 84b3f71046)
Upgrade google.golang.org/grpc to v1.79.3 (CVE-2026-33186) (#25262, bc9ee3ba06)
Bump go-jose/go-jose/v4 to v4.1.4 (CVE-2026-34986) (#25263, e02a00ef77)
Upgrade go-jose/v4 to v4.1.4 (CVE-2026-34986) (#25264, dfdbf8b7a7)
Upgrade buger/jsonparser to v1.1.2 (GHSA-6g7g-w4f8-9c9x) (#25265, c40a25ea92)
Upgrade buger/jsonparser to v1.1.2 (GHSA-6g7g-w4f8-9c9x) (#25266, cd5d7367bf)
Upgrade golang.org/x/net to v0.53.0 (CVE-2026-33814) (#25258, 7d00d11ae3)
fix(go.mod): bump gomarkdown/markdown to fix GHSA-77fj-vx54-gvh7 (v2.29) (#25251, c67fe2cda0)
fix(go.mod): upgrade goldmark to v1.7.17 (CVE-2026-5160) (#25252, 878200210d)
Bump Go from 1.25.8 to 1.25.10 (#25253, 5d6a67f9ef)
fix(scripts/ironbank): update base image to UBI9 and remove urllib3 (CVE-2026-44431) (#25245, 9557b1ebef)
Server: Harden Azure identity certificate fetch (cherry-pick v2.29) (#25279, ec183eb010)
Verify PKCS7 signature on Azure instance identity tokens (backport 2.29) (#25307, 25ddc1cb78)

Compare: v2.29.12...v2.29.13

Container image

docker pull ghcr.io/coder/coder:2.29.13

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

Security Fixes

CVE-2026-39883 — upgrade go.opentelemetry.io/otel/sdk to v1.43.0
CVE-2026-45022 — upgrade go-git/go-git/v5 to v5.19.0
CVE-2026-33186 — upgrade google.golang.org/grpc to v1.79.3
CVE-2026-34986 — bump go-jose/go-jose/v4 to v4.1.4 (duplicate entry ignored)
GHSA-6g7g-w4f8-9c9x — upgrade buger/jsonparser to v1.1.2 (duplicate entry ignored)
CVE-2026-33814 — upgrade golang.org/x/net to v0.53.0
GHSA-77fj-vx54-gvh7 — bump gomarkdown/markdown to v2.29
CVE-2026-5160 — upgrade goldmark to v1.7.17
CVE-2026-44431 — update UBI9 base image and remove urllib3

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track coder

Get notified when new releases ship.

About coder

Secure environments for developers and their agents

All releases →

Related context

Related tools

Related CVEs

CVE-2026-33186 NVD KEV EPSS
CVE-2026-33814 NVD KEV EPSS
CVE-2026-34986 NVD KEV EPSS
CVE-2026-39883 NVD KEV EPSS
CVE-2026-44431 NVD KEV EPSS
CVE-2026-45022 NVD KEV EPSS
CVE-2026-5160 NVD KEV EPSS
GHSA-686C-7VGV-V3FX NVD KEV EPSS
GHSA-6X44-W3XG-HQQF NVD KEV EPSS