This release patches 2 CVEs for security teams tracking exposure across their dependency inventory.
Topics
+3 more
Affected surfaces
ReleasePort's take
Moderate signalThe release upgrades the Go toolchain to 1.25.10 and cherry‑picks go‑git v5.19.0, fixing CVE‑2026‑45022; it also updates the base image to UBI9 and removes urllib3, remediating CVE‑2026‑44431.
Why it matters: Patch immediately if using Go toolchain 1.25.9 or go‑git versions prior to 5.19.0; update scripts/ironbank images to UBI9 before the next deployment cycle to eliminate CVE‑2026‑44431 risk.
Summary
AI summaryFixed CVE-2026-45022 in go-git and CVE-2026-44431 by updating the base image.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Cherry-pick go-git v5.19.0 fixes CVE-2026-45022 Cherry-pick go-git v5.19.0 fixes CVE-2026-45022 Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Harden Azure identity certificate fetch (cherry-pick v2.33) Harden Azure identity certificate fetch (cherry-pick v2.33) Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Verify PKCS7 signature on Azure instance identity tokens (2.33 cherry-pick) Verify PKCS7 signature on Azure instance identity tokens (2.33 cherry-pick) Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Update base image to UBI9 and remove urllib3, fixing CVE-2026-44431 Update base image to UBI9 and remove urllib3, fixing CVE-2026-44431 Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Feature | Medium |
Dashboard shows Organizations in admin dropdown for single-org OSS deployments Dashboard shows Organizations in admin dropdown for single-org OSS deployments Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Fix scripts/ironbank updates base image to UBI9 and removes urllib3, fixes CVE-2026-44431 Fix scripts/ironbank updates base image to UBI9 and removes urllib3, fixes CVE-2026-44431 Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Upgrade Go toolchain from 1.25.9 to 1.25.10 Upgrade Go toolchain from 1.25.9 to 1.25.10 Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
Changelog
[!NOTE]
This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.
Bug fixes
- Upgrade Go toolchain from 1.25.9 to 1.25.10 (#25230, e5a96f3608)
- Cherry-pick go-git v5.19.0 (CVE-2026-45022) (#25229, 4e4e23539e)
- Dashboard: Show Organizations in admin dropdown for single-org OSS deployments (#25175, bbca430b4c)
- fix(scripts/ironbank): update base image to UBI9 and remove urllib3 (CVE-2026-44431) (#25247, 818fc72802)
- Server: Harden Azure identity certificate fetch (cherry-pick v2.33) (#25276, 844c1e0467)
- Verify PKCS7 signature on Azure instance identity tokens (2.33 cherry-pick) (#25302, 2b778f292c)
Compare: v2.33.2...v2.33.3
Container image
docker pull ghcr.io/coder/coder:2.33.3
Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.
Security Fixes
- CVE-2026-45022 — go-git v5.19.0 upgrade
- CVE-2026-44431 — base image updated to UBI9 and urllib3 removed
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]