Skip to content

bug: coder_app with share="owner" accessible by other users in same organization #21229

New issue
New issue
Open
Open
bug: coder_app with share="owner" accessible by other users in same organization#21229
Labels
bugsecurityArea: security
@blinkagent

Description

@blinkagent
blinkagent
bot
opened on Dec 11, 2025

Summary

Subdomain workspace apps configured with share = "owner" are accessible by other authenticated users in the same organization, bypassing the intended owner-only access control.

Environment

  • Coder version: d81d7eeb308c384a61c0094039c04acf311d4f35 (release/2.20 branch)
  • Deployment: Kubernetes
  • Database: PostgreSQL 16.8

Reproduction Steps

  1. Create a template with a coder_app resource configured with share = "owner":
resource "coder_app" "nginx" {
  order        = 1
  agent_id     = coder_agent.main.id
  slug         = "portal"
  display_name = "Portal"
  url          = "http://localhost:8080"
  icon         = "https://www.abinitio.com/favicon.ico"
  subdomain    = true
  share        = "owner"
}
  1. Create workspaces for two different users (user1 and user2) in the same organization using this template
  2. Both users have no elevated roles (not template admin, not owner)
  3. Log in as user1 in an incognito browser
  4. Access user2's workspace app via the subdomain URL: https://portal--<workspace>--<user2>--apps.<domain>/

Expected Behavior

user1 should receive an authorization error when attempting to access user2's workspace app, since the app is configured with share = "owner".

Actual Behavior

user1 can successfully access user2's workspace app despite the share = "owner" configuration.

Database Verification

Confirmed the apps are correctly stored with sharing_level = owner:

coder=> SELECT slug, sharing_level FROM workspace_apps WHERE slug = 'portal';
  slug  | sharing_level
--------+---------------
 portal | owner
...
(47 rows)

Deployment Configuration

CODER_MAX_PORT_SHARE_LEVEL: owner
CODER_BROWSER_ONLY: true

Security Impact

This is a significant security concern as it allows authenticated users to access workspace applications that should be restricted to the workspace owner only. This could expose sensitive data or services running in other users' workspaces.

Notes

  • Both users are in the same organization
  • Neither user has elevated roles
  • Apps are accessed via subdomain URLs (not path-based)
  • CODER_MAX_PORT_SHARE_LEVEL is set to owner (though this should only affect port sharing, not coder_app sharing per the docs)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugsecurityArea: security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions