Skip to content

coder

v2.30.8 Security

This release patches 2 CVEs for security teams tracking exposure across their dependency inventory.

Published 21d Developer Productivity
2 patched CVEs
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs GHSA-686c-7vgv-v3fx GHSA-6x44-w3xg-hqqf
2 CVEs patched

Topics

agents dev-tools development-environment go ide jetbrains
+3 more
remote-development terraform vscode

Affected surfaces

deps rce_ssrf

ReleasePort's take

Light signal
editorial:auto 13d

v2.30.8 patches six CVEs across dependencies and hardens Azure identity certificate verification. Operators should upgrade to close security gaps in go-git, OTel SDK, goldmark, and other core libraries.

Why it matters: Six CVEs patched in widely-used libraries (go-git v5.19.0, OTel SDK v1.43.0, goldmark v1.7.17, edwards25519 v1.1.1) plus hardened PKCS7 signature validation for Azure identity tokens. Patch immediately.

Summary

AI summary

Security fixes address multiple CVEs and harden Azure identity certificate verification.

Changes in this release

Security High

Upgrade goldmark to v1.7.17 (fixes CVE-2026-5160)

Upgrade goldmark to v1.7.17 (fixes CVE-2026-5160)

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Security Medium

Verify PKCS7 signature on Azure instance identity tokens backport 2.30

Verify PKCS7 signature on Azure instance identity tokens backport 2.30

Source: llm_adapter@2026-05-21

Confidence: high
Security Medium

fix(go.mod): bump goldmark to v1.7.17 fixes CVE-2026-5160

fix(go.mod): bump goldmark to v1.7.17 fixes CVE-2026-5160

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Bump go-git/go-git/v5 from v5.18.0 to v5.19.0 fixes CVE-2026-45022

Bump go-git/go-git/v5 from v5.18.0 to v5.19.0 fixes CVE-2026-45022

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

fix(go.mod): upgrade OTel SDK from v1.39.0 to v1.43.0 fixes CVE-2026-39883

fix(go.mod): upgrade OTel SDK from v1.39.0 to v1.43.0 fixes CVE-2026-39883

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Upgrade filippo.io/edwards25519 v1.1.0 to v1.1.1 fixes CVE-2026-26958

Upgrade filippo.io/edwards25519 v1.1.0 to v1.1.1 fixes CVE-2026-26958

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

fix(scripts/ironbank): update base image to UBI9 and remove urllib3 fixes CVE-2026-44431

fix(scripts/ironbank): update base image to UBI9 and remove urllib3 fixes CVE-2026-44431

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

Server: Harden Azure identity certificate fetch cherry-pick v2.30

Server: Harden Azure identity certificate fetch cherry-pick v2.30

Source: llm_adapter@2026-05-21

Confidence: high
Dependency Medium

Bump hashicorp/hc-install to v0.9.4

Bump hashicorp/hc-install to v0.9.4

Source: llm_adapter@2026-05-21

Confidence: low
Dependency Medium

fix(deps): upgrade gomarkdown/markdown to fix GHSA-77fj-vx54-gvh7 (v2.30.x)

fix(deps): upgrade gomarkdown/markdown to fix GHSA-77fj-vx54-gvh7 (v2.30.x)

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Bump Go from 1.25.8 to 1.25.10

Bump Go from 1.25.8 to 1.25.10

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Widen engines.node to include Node.js 24 LTS

Widen engines.node to include Node.js 24 LTS

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Dashboard: Remove flaky pagination test from WorkspacesPage

Dashboard: Remove flaky pagination test from WorkspacesPage

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Low

Update Go runtime from 1.25.8 to 1.25.10

Update Go runtime from 1.25.8 to 1.25.10

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Full changelog

Changelog

Bug fixes

  • Widen engines.node to include Node.js 24 LTS (#24419, 874f09598d)
  • Bump hashicorp/hc-install to v0.9.4 (#24547, dba38c39d9) (@ethanndickson)
  • Bump go-git/go-git/v5 from v5.18.0 to v5.19.0 (CVE-2026-45022) (#25234, 0ab69891d9)
  • fix(go.mod): upgrade OTel SDK from v1.39.0 to v1.43.0 (CVE-2026-39883) (#25233, 371506f0bb)
  • fix(deps): upgrade gomarkdown/markdown to fix GHSA-77fj-vx54-gvh7 (v2.30.x) (#25235, b9a49482d5)
  • Bump Go from 1.25.8 to 1.25.10 (#25232, 0bff6d2320)
  • Dashboard: Remove flaky pagination test from WorkspacesPage (#24165, 76402c02f5)
  • fix(go.mod): bump goldmark to v1.7.17 to fix CVE-2026-5160 (#25257, ed8b0b311f)
  • Upgrade filippo.io/edwards25519 v1.1.0 to v1.1.1 (CVE-2026-26958) (#25261, b1c5b9211f)
  • fix(scripts/ironbank): update base image to UBI9 and remove urllib3 (CVE-2026-44431) (#25231, 9a9080b302)
  • Server: Harden Azure identity certificate fetch (cherry-pick v2.30) (#25281, af737be587)
  • Verify PKCS7 signature on Azure instance identity tokens (backport 2.30) (#25305, 74eba1e8a9)

Compare: v2.30.7...v2.30.8

Container image

  • docker pull ghcr.io/coder/coder:2.30.8

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

Security Fixes

  • CVE-2026-45022 — upgrade go-git/go-git/v5 to v5.19.0
  • CVE-2026-39883 — upgrade OTel SDK to v1.43.0
  • GHSA-77fj-vx54-gvh7 — upgrade gomarkdown/markdown (v2.30.x)
  • CVE-2026-5160 — bump goldmark to v1.7.17
  • CVE-2026-26958 — upgrade filippo.io/edwards25519 to v1.1.1
  • CVE-2026-44431 — update base image to UBI9 and remove urllib3
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track coder

Get notified when new releases ship.

Sign up free

About coder

Secure environments for developers and their agents

All releases →

Related context

Related CVEs

Beta — feedback welcome: [email protected]