Stable (since June 11, 2026)
Changelog
BREAKING CHANGES
- fix(coderd)!: restrict OIDC email fallback to first-time account linking (#25712, 36c011d)
- fix!: reject OIDC login when email_verified claim is non-bool or absent (#25713, 335df24)
- fix!: validate HostnameSuffix and SSHConfigOptions' (#26154, 6d0d4e0)
- fix!: only trust x-forwarded-host from configured trusted proxies (conflicts) (#26204, fa46906) (@geokat)
Features
Bug fixes
- Clamp template port sharing level in SubAgentAPI (#26061, 0ff82f1)
- Require update permission to recreate devcontainers (#25812, 7fd2977)
- Escape agent log HTML (#25808, bdfdf6c)
- Escape appearance values in HTML output (#25804, 345a88c)
- Always verify TLS on aibridgeproxyd upstream transport (#26131, d875dd1)
- Allow lifecycle code path to retry failed stop jobs (#26277, 0847137)
- Agent: Prevent command injection in shell execer (#26235, 049f5b1) (@zedkipp)
- Server: Prevent cross-tenant workspace app rebinding (#26103, 071f067) (@dylanhuff-at-coder)
- Validate agent-supplied AllowedIPs in coordinator (#26144, fa9d7a3) (@f0ssel)
- Server: Prevent user-admin from resetting owner password (#25709, fb9fe63)
- Reject oversized and invalid zip uploads (#25877, 97f9e3d)
- Validate FileSize in NewDataBuilder to prevent OOM DoS (#25710, 15ff74a)
- Rename bundled rstudio.svg to rproject.svg, add real RStudio icon (#26216, d654d6d)
- Use a random value for a simulated hash for built-in users (#26205, 53c2523)
- Server: Verify workspace owner matches app username (#26085, de92756)
- Prevent session token exfiltration via external app URLs (#26146, 91d1865) (@zedkipp)
- Add max bytes request limit to aibridge (#26164, 481857f)
- Check user user is active in aibridge auth (#26173, f9486be)
Compare: v2.33.7...v2.33.8
Container image
docker pull ghcr.io/coder/coder:2.33.8
Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.