CVE-2023-26114 – code-server versions before 4.10.1 fail to vali... (How to Fix)

Q: What is the severity of CVE-2023-26114?

CVE-2023-26114 has a CVSS score of 8.2 (HIGH). code-server versions before 4.10.1 fail to validate WebSocket origin headers during handshakes, allowing attackers in specific network scenarios to bypass same-origin policy protections. This vulnerability enables unauthorized access to the code-server instance and potentially sensitive data. All users running vulnerable code-server versions are affected.

📋 TL;DR

code-server versions before 4.10.1 fail to validate WebSocket origin headers during handshakes, allowing attackers in specific network scenarios to bypass same-origin policy protections. This vulnerability enables unauthorized access to the code-server instance and potentially sensitive data. All users running vulnerable code-server versions are affected.

💻 Affected Systems

Products:

code-server

Versions: All versions before 4.10.1

Operating Systems: All platforms running code-server

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability affects all default installations of code-server before version 4.10.1.

📦 What is this software?

Code Server by Coder

View all CVEs affecting Code Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the code-server instance allowing attackers to execute arbitrary code, access sensitive files, and establish persistent access to the development environment.

🟠

Likely Case

Unauthorized access to code-server interface leading to data exfiltration, credential theft, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only allowing connection attempts without successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires specific network positioning and understanding of WebSocket protocols, but no authentication is needed once the attacker can reach the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.10.1 and later

Vendor Advisory: https://github.com/coder/code-server/releases/tag/v4.10.1

Restart Required: Yes

Instructions:

1. Stop the code-server service. 2. Update code-server to version 4.10.1 or later using your package manager or direct download. 3. Restart the code-server service.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to code-server WebSocket endpoints using firewall rules or network policies.

Reverse Proxy with Origin Validation

all

Deploy a reverse proxy (nginx, Apache) that validates WebSocket origin headers before forwarding to code-server.

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the code-server WebSocket endpoints
Monitor for unusual WebSocket connection patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check code-server version. If version is below 4.10.1, the system is vulnerable.

Check Version:

code-server --version

Verify Fix Applied:

Verify code-server version is 4.10.1 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual WebSocket connection attempts from unexpected origins
Failed WebSocket handshakes with missing or malformed origin headers

Network Indicators:

WebSocket traffic to code-server from unauthorized sources
Unusual patterns in WebSocket handshake requests

SIEM Query:

websocket AND (origin:null OR origin:"") AND destination_port:code-server_port

📊 Metadata

CVE ID: CVE-2023-26114

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L

CWE: CWE-1385

Published: March 23, 2023

Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26114, you might also want to check these: