Stable (since September 04, 2025)

Changelog

Security Fixes

• Expire token for prebuilds user when regenerating session token (#19667) (#19668, ec66090) (@johnstcn)

  ⚠ Fixes an issue allowing previously authenticated users to claim prebuilt workspaces created from templates using the coder-login module. Read more in our GHSA for this vulnerability.

• Server: Add audit log on creating a new session key (#19672) (#19684, a79adb1) (@johnstcn)

  Adds an audit log entry when an API key is created via coder login.

Bug Fixes

• Fix GCP service accounts (#19312) (#19315, d324cf7) (@ethanndickson)

Compare: v2.25.1...v2.25.2

Container image

• docker pull ghcr.io/coder/coder:v2.25.2

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

Stable (since September 04, 2025)

Changelog

Security Fixes

• Expire token for prebuilds user when regenerating session token (#19667) (#19668, ec66090) (@johnstcn)

  ⚠ Fixes an issue allowing previously authenticated users to claim prebuilt workspaces created from templates using the coder-login module. Read more in our GHSA for this vulnerability.

• Server: Add audit log on creating a new session key (#19672) (#19684, a79adb1) (@johnstcn)

  Adds an audit log entry when an API key is created via coder login.

Compare: v2.24.3...v2.24.4

Container image

• docker pull ghcr.io/coder/coder:v2.24.4

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

Changelog

KNOWN ISSUES

• You may see higher numbers of "API Key Created" entries in the audit logs. This is expected due to fixing an audit logging omission (#19672).
• Jetbrains users may experience inflated API key creation. This will be fixed in a future patch to the Jetbrains plugin version.

BREAKING CHANGES

• Support empty or default fields when updating templates (#19256, aab2ccd) (@rafrdz)

  Breaking change to the Coder Go SDK. Field types in codersdk.UpdateTemplateMeta for Icon, Description, and DisplayName changed from string to *string. Consumers must pass pointers and handle nil checks. Code that assigns/reads plain strings will no longer compile without updates.

• fix(coderd/prometheusmetrics)!: filter deleted wsbuilds to reduce db load (#19197, 1b66495) (@mafredri)

  Breaking change to coderd_api_workspace_latest_build Prometheus metric. The coderd_api_workspace_latest_build Prometheus metric no longer includes builds belonging to deleted workspaces, as such, this metric will show fewer statuses.

Security Fixes

• Expire token for prebuilds user when regenerating session token (#19667) (#19668, ec66090) (@johnstcn)

  ⚠ Fixes an issue allowing previously authenticated users to claim prebuilt workspaces created from templates using the coder-login module. Read more in our GHSA for this vulnerability.

• Server: Add audit log on creating a new session key (#19672) (#19684, a79adb1) (@johnstcn)

  Adds an audit log entry when an API key is created via coder login.

Features

• Validate presets on template import to prevent publishing an unusable template (#18844, f256a23) (@SasSwart)
• Allow bypassing current CORS magic based on template config (#18706, ffbfaf2) (@cstyan)
• Add MCP tools for ChatGPT. ChatGPT can now create Coder workspaces. (#19102, 79cd80e) (@hugodutka)
• Add prebuild timing metrics to Prometheus (#19503, 0ab345c) (@ssncferreira)
• Add author filter command to template filtering (#19202, 5b80c47) (@Emyrk)
• Implement rich multi-selector for multi-select in the CLI (#19201, a7fac30) (@mtojek)
• Add Sourcegraph Amp logo sourced from presskit (#19421, 7bcbb83) (@DevelopmentCats)
• Claim prebuilds based on workspace parameters instead of preset ID to improve prebuilds usability (#19279, f9a6adc) (@SasSwart)
• 📥 External workspaces is now in Early Access. Read more in our external workspaces documentation.
  • CLI: Add enterprise external-workspaces CLI command (#19287, 7b1dcd9) (@kacpersaw)
  • Server: Add has_external_agent flag to template_versions and workspace_builds (#19285, 5e4aa79) (@kacpersaw)
  • Server: Add support for external agents to API's and provisioner (#19286, 9edceef) (@kacpersaw)
  • Dashboard: Add support for external agents in the UI and extend CodeExample (#19288, 7f72067) (@kacpersaw)
• ☑ Coder Tasks UI improvements:
  • Show workspace build and startup script logs during tasks creation (#19413, 8aafbcb) (@BrunoQuaresma)

    Improved tasks creation UI:
    

  • Filter tasks that are waiting for user input (#19377, d77c3d0) (@BrunoQuaresma)
  • Display the number of idle tasks in the navbar (#19471, cde5b62) (@BrunoQuaresma)

    Improved visibility when tasks are waiting for user input.
    

• Show workspace health error alert above agents in workspace page for better visibility (#19400, 9a872f9) (@aqandrew)
• CLI: Add filtering options to provisioners list CLI command (#19378, ad5e678) (@rafrdz)
• CLI: Prevent coder schedule command on prebuilt workspaces (#19259, 92d505c) (@ssncferreira)
• CLI: Add coder exp tasks list command (#19496, 836324e) (@mafredri)
• CLI: Add exp task create command (#19492, 63c1325) (@DanielleMaywood)
• CLI: Implement exp task status command (#19533, 5baaf27) (@johnstcn)
• Server: Generate task names based on their prompt (#19335, 6553771) (@DanielleMaywood)
• Server: Add tasks /list and /get endpoints (#19468, 427b23f) (@mafredri)
• Add workspace-sharing experiment (#19106, ed62ddc) (@aslilac)

  We're testing out shared workspaces in an early and unstable experiment. If you are interested or have feedback please join the discussion in our Github.

Bug fixes

• Use system context for querying workspaces when deleting users to prevent deletion of users with workspaces(#19211, 99d75cc) (@ethanndickson)
• Upgrade Go to 1.24.6 to fix race in lib/pq queries (#19214, 91780db) (@spikecurtis)
• Prevent horizontal form section info from overlapping form fields (#19189, b8851f0) (@aqandrew)
• Upload the slim binaries from the build directory to the GCS bucket (#19281, 5d42b18) (@jdomeracki-coder)
• Generalize password invalid message (#19307, b8c9192) (@aqandrew)
• Prevent activity bump for prebuilt workspaces (#19263, 560cf84) (@ssncferreira)
• Set prebuilds lifecycle parameters on creation and claim (#19252, 8567ecb) (@ssncferreira)
• Disallow lifecycle endpoints for prebuilt workspaces (#19264, 734299d) (@ssncferreira)

  The two PRs above ensure a user's scheduling settings are correctly applied when claiming a prebuilt workspace.

• Correct scrolling overflow behavior for workspace history (#19340, 5b5fbbe) (@brettkolodny)
• Ensure deployment banner is always on the bottom (#19361, 362c78a) (@brettkolodny)
• Don't create autostart workspace builds with no available provisioners (#19067, 6c902a7) (@cstyan)
• Exclude prebuilt workspaces from template-level lifecycle updates (#19265, d79a779) (@ssncferreira)
• Fix jetbrains toolbox connection tracking (#19348, dd867bd) (@f0ssel)
• Support oidc group allowlist in oss (#19430, 5b1e809) (@rafrdz)
• Redirect users to /login if their oauth token is invalid (#19429, ee789da) (@brettkolodny)
• Add database constraint to enforce minimum username length (#19453, bcdade7) (@cstyan)
• Support 'me' as the username for template author (#19204, 3024bde) (@Emyrk)
• Fix workspaces pagination (#19448, 54440af) (@BrunoQuaresma)

  Users were previously unable to page through workspaces if they owned many (hundreds). This has been resolved.

• CLI: Display workspace created at time instead of current time (#19553, c19f430) (@DanielleMaywood)
• CLI: Attach org option to task create (#19554, 8083d9d) (@johnstcn)
• Enterprise: Update external agent instructions in CLI (#19411, c429020) (@kacpersaw)
• Dashboard: Remove redundant alt text to prevent duplicated accessible names (#19087, 44d9356) (@ssncferreira)
• Dashboard: Ensure notification settings page follows RBAC correctly (#19097, a185d3a) (@DanielleMaywood)
• Dashboard: Display tasks link when no templates contain an AI task (#19184, cc609cb) (@DanielleMaywood)
• Dashboard: Hide "Show parent apps" when no running or starting devcontainers (#19200, 1c70d32) (@DanielleMaywood)
• Dashboard: Fix render crash when no embedded apps are defined for task (#19215, ffbd583) (@DanielleMaywood)
• Dashboard: Add preset combobox to dynamic parameters page (#19100, 96e32d6) (@ssncferreira)
• Provisioner: Workaround lack of coder_ai_task resource on stop transition (#19560, bd139f3) (@johnstcn)
• Server: Filter out non-task workspaces in api.tasksList (#19559, dbc6c98) (@johnstcn)

Documentation

• Add code-server vs VSCode Web comparison table (#19104, 428ec35) (@EdwardAngert)
• Document how to start a remote MCP Coder server (#19150, a02d1c1) (@hugodutka)
• Add OAuth2 provider experimental feature documentation (#19165, 247efc0) (@ThomasK33)
• Update status of Coder Desktop + corporate VPN issue (#19350, 1ffc5a0) (@ethanndickson)
• Add generative AI contribution guidelines (#19427, a19dfa9) (@Emyrk)
• Add dev containers and scheduling to prebuilt workspaces known issues (#18816, 49f32d1) (@EdwardAngert)
• Add Google OIDC provider-specific guide (#19309, ea7025b) (@DevelopmentCats)

Performance improvements

• Don't call GetUserByID unnecessarily for Agents metrics loops (#19395, 014a2d5) (@cstyan)
• Speed up GetTailnetTunnelPeerBindings query (#19444, 229d051) (@spikecurtis)

Chores

• Update to node 20.19.4 (#19188, 5c88d93) (@aslilac)
• Update coder/preview to v1.0.4 (#19205, a2e8aa9) (@Emyrk)
• Upgrade to pnpm 10 (#19327, 2180d17) (@aslilac)
• Update terraform to 1.13.0 (#19509, 9b7d41d) (@app/blink-so)
• Helm: Make coder pprof endpoint available externally (#19185, 4ba9382) (@Emyrk)

Compare: v2.25.1...v2.26.0

Container image...

Stable (since September 02, 2025)

Changelog

Bug fixes

• Upgrade to 1.24.6 to fix race in lib/pq queries (#19214) (#19218, 079328d)

  ⚠ Resolves CVE-2025-47907, details can be found here in golang/go. Additionally, see our blog about this vulnerability.

Compare: v2.25.0...v2.25.1

Container image

• docker pull ghcr.io/coder/coder:v2.25.1

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

Stable (since August 07, 2025)

Changelog

Bug fixes

• Pin Nix version to 2.28.4 to avoid JSON type error (#19223, 9df4992)
• Upgrade to 1.24.6 to fix race in lib/pq queries (#19214) (#19219, 7f6cefd)

  ⚠ Resolves CVE-2025-47907, details can be found here in golang/go. Additionally, see our blog about this vulnerability.

• Use system context for querying workspaces when deleting users (#19211) (#19227, c219a9a)
• Backport coder desktop + corporate vpn fixes for 2.24 (#19177, bc502b5)

Chores

• Publish CLI binaries and detached signatures to releases.coder.com (#18901, 3e0645c)
• Database: Optimize AuditLogs queries (#19193, 5ff7496) (@kacpersaw)

Compare: v2.24.2...v2.24.3

Container image

• docker pull ghcr.io/coder/coder:v2.24.3

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

Stable (since August 07, 2025)

Changelog

• Upgrade to 1.24.6 to fix race in lib/pq queries (#19214) (#19219, 7f6cefd)

  ⚠ Resolves CVE-2025-47907, details can be found here in golang/go. Additionally, see our blog about this vulnerability.

• Publish CLI binaries and detached signatures to releases.coder.com (#18901, 3e0645c)

Compare: v2.23.4...v2.23.5

Container image

• docker pull ghcr.io/coder/coder:v2.23.5

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

Changelog

BREAKING CHANGES

• Route connection logs to Connection log instead of Audit log (#18340, 08e17a0) (@ethanndickson)

  Connections to workspaces (via SSH, workspace apps, or browser port-forwarding) will no longer create entries in the audit log. Those events will now be included in the 'Connection Log'.
  Please see the 'Connection Log' page in the dashboard, and the Connection Log documentation for details. Those with permission to view the Audit Log will also be able to view the Connection Log. The new Connection Log has the same licensing restrictions as the Audit Log, and requires a Premium Coder deployment.

• Delete old connection events from audit log (#18735, f42de9f) (@ethanndickson)

  With new connection events appearing in the Connection Log, connection events older than 90 days will now be deleted from the Audit Log. If you require this legacy data, we recommend querying it from the REST API or making a backup of the database/these events before upgrading your Coder deployment. Please see the PR for details on what exactly will be deleted.
  Note: There are currently no plans to delete connection events from the Connection Log.

• Add ability to cancel pending workspace build (#18713, 8202514) (@kacpersaw)

  CancelWorkspaceBuild method in codersdk now accepts an optional request parameter.

• Use devcontainer ID when rebuilding a devcontainer (#18604, f2d229e) (@DanielleMaywood)

  Minor breaking change for workspaces enabled by our devcontainer integration.
  Allows rebuilding a devcontainer without a valid devcontainer ID.

• CLI: Add CLI support for creating workspace with presets (#18912, b975d6d) (@ssncferreira)

  This breaking change impacts the coder create CLI command only for templates which contain presets.

  It introduces a --preset flag to the create command, which modifies the behavior when no preset is explicitly provided:

  • If the template includes presets and a default preset, the default will be automatically applied. The user will be notified, but not prompted.
  • If the template includes presets without a default, the user will be prompted to choose a preset.

  This breaks existing workflows for templates with presets that:

  • Expect the create command to proceed without applying a preset
  • Rely on non-interactive scripts or automated workflows, which will now fail or hang due to unexpected prompts

Features

• Dynamic Parameters is now generally available:

  

  • Remove beta labels for dynamic parameters (#18976, d7b1253) (@jaaydenh)
  • Allow new immutable parameters for existing workspaces (#18579, e396b06) (@Emyrk)
  • Allow masking workspace parameter inputs (#18595, 0b82f41) (@aslilac)
  • Support dynamic parameters on create template request (#18636, 4072d22) (@Emyrk)
  • Display descriptions in multi-select component (#18730, 61b6562) (@jaaydenh)
  • Add search to parameter dropdowns (#18729, 52c4b61) (@aslilac)
  • Include template variables in dynamic parameter rendering (#18819, aedc019) (@Emyrk)
  • Improve workspace upgrade flow when template parameters change (#18917, 19afeda) (@aslilac)
  • Make dynamic parameters opt-in by default for new templates (#19006, 1320b8d) (@jaaydenh)
• Coder may now be used as an OAuth2 provider (experimental):
  • Add authorization server metadata endpoint, PKCE support (#18548, 6f2834f) (@ThomasK33)
  • Add RFC 8707 resource indicators, audience validation (#18575, f0c9c4d) (@ThomasK33)
  • Add protected resource metadata endpoint for RFC 9728 (#18643, 33bbf18) (@ThomasK33)
  • Implement OAuth2 dynamic client registration (RFC 7591/7592) (#18645, 74e1d5c) (@ThomasK33)
  • Add experimental OAuth2 provider functionality (#18692, 1555154) (@ThomasK33)
  • Implement RFC 6750 Bearer token authentication (#18644, 09c5055) (@ThomasK33)
  • Add RFC 9728 OAuth2 resource metadata support (#18920, 071383b) (@ThomasK33)
• The external Coder MCP server is now available as an experiment:

  Use any agent to create coder workspaces.

  • Implement MCP HTTP server endpoint with authentication (#18670, 494dccc) (@ThomasK33)
  • Add MCP HTTP server experiment and improve experiment middleware (#18712, 7fbb3ce) (@ThomasK33)
  • Add workspace SSH execution tool for AI SDK (#18924, 326c024) (@ThomasK33)
  • SDK: Add MCP workspace bash background parameter (#19034, b666d52) (@hugodutka)
• Added new connection logs as a separate entity from audit logs

  

  • Dashboard: Add connection log page (#18708, b5260d5) (@ethanndickson)
  • Add connectionlogs API (#18628, 7a339a1) (@ethanndickson)
• Improvements to Coder Tasks:

  

  • Add task link in the workspace page when it is running a task (#18591, 2d44add) (@BrunoQuaresma)
  • Redirect to the task page after creation (#18626, 29ef3a8) (@BrunoQuaresma)
  • Make task panels resizable (#18590, 8eebb4f) (@BrunoQuaresma)
  • Add preset selector in TasksPage (#19012, 9a05a8a) (@johnstcn)
• Improvements to our Devcontainers integration:
  • Agent: Automaticall detect dev containers (#18950, f41275e) (@DanielleMaywood)
  • Agent: Allow auto start for discovered containers (#19040, 66cf90c) (@DanielleMaywood)
  • CLI: Improve devcontainer support for coder show (#18793, 5f50dcc) (@mafredri)
  • CLI: Replace open vscode container with devcontainer subagent (#18765, 6c4db7a) (@mafredri)
  • Install dotfiles if present (#18606, 872aef3) (@mafredri)
• Administrators can now track usage of agentic AI workspaces:

  Premium licensed customers have a default of 800 agentic workspaces per user. This limit will likely never be hit.

  • Add managed_agent_limit licensing feature (#18876, 183a6eb) (@deansheather)
  • Add managed ai usage consumption to license view (#18934, 36d2e01) (@ibetitsmike)
• Allow users to pause prebuilt workspace reconciliation (#18700, 01163ea) (@SasSwart)
• Use parameter preview engine to compute workspace tags from terraform (#18720, a099a8a) (@Emyrk)
• Add publishing of helm charts to ghcr registry (#18316, 10c1e36) (@a1994sc)
• Automatically reconnect the terminal (#18796, 5a8a19b) (@BrunoQuaresma)
• Publish CLI binaries and detached signatures to releases.coder.com (#18874, e4d3453) (@jdomeracki-coder)
• Add managed agent license limit checks (#18937, 9a6dd73) (@deansheather)
• Extend workspace build reasons to track connection types (#18827, 482463c) (@kacpersaw)
• Add View Source button for template administrators in workspace creation (#18951, 28789d7) (@app/blink-so)
• Add timeout support to workspace bash tool (#19035, 398e80f) (@ThomasK33)
• Support icon and description in preset (#18977, 0672bf5) (@ssncferreira)
• Support shift+enter in terminal (#19021, 558e25d) (@code-asher)
• CLI: Add CLI support for listing presets (#18910, 931b97c) (@ssncferreira)
• CLI: Support description in create and presets list CLI commands (#19079, 4e7331a) (@ssncferreira)
• Helm: Add pod-level securityContext support for certificate mounting (#19041, faac753) (@ausbru87)
• Dashboard: Support icon and description in preset (#19063, 71738f6) (@ssncferreira)

Bug fixes

• Hide the preset parameter visibility switch when it has no effect (#18574, 634144f) (@SasSwart)
• Pin Nix version to 2.28.4 to avoid JSON type error (#18612, 1b1d091) (@ThomasK33)
• Cap max X11 forwarding ports and evict old (#18561, 9e1cf16) (@spikecurtis)
• Use memmap file system for TestServer_X11 (#18562, 6bebfd0) (@spikecurtis)
• Use default preset when creating a workspace for task (#18623, 6d305df) (@BrunoQuaresma)
• Use only template version ID to create task workspace (#18642, 4095330) (@BrunoQuaresma)
• Display error message when delete workspace fails (#18654, ad67733) (@jaaydenh)
• Use client preferred URL for the default DERP (#18911, a1b87a6) (@deansheather)
• Prioritise human-initiated builds over prebuilds in provisioner queue (#18933, c4b69bb) (@johnstcn)
• Debounce parameter slider to avoid laggy behavior (#18980, dd2fb89) (@jaaydenh)
• Avoid duplicating logs on Coder Connect Windows (#19052, 2a430ab) (@deansheather)
• Sanitize app status summary to resolve confusing errors in coder tasks (#19075, 812d72c) (@johnstcn)
• Agent: Delay containerAPI init to ensure startup scripts run before (#18630, 7e99fb7) (@mafredri)
• Agent: Fix script filtering for devcontainers (#18635, 8ee2668) (@mafredri)
• Agent: Disable dev container integration inside sub agents (#18781, 0118e75) (@DanielleMaywood)
• Agent: Stop logging empty lines (#18605, 98c77fe) (@DanielleMaywood)
• Agent: Respect ignore files (#19016, 25d70ce) (@DanielleMaywood)
• CLI: Calculate coder ping max correctly (#18734, 7500aa4) (@ethanndickson)
• fix(.devcontainer): add home volume and fix code-server and filebrowser (#18648, d814fdf) (@mafredri)
• Dashboard: Update vscode.dev container button URLs (#18696, 8b6d70b) (@mafredri)
• Dashboard: Only attempt to watch containers when agent connected (#18873, 089f960) (@DanielleMaywood)
• Dashboard: Exclude workspace schedule settings for prebuilt workspaces (#18826, dad033e) (@ssncferreira)
• Dashboard: Only attempt to watch when dev containers enabled (#18892, bfb9aa4) (@DanielleMaywood)
• Dashboard: Speed up state syncs and valid...

Stable (since August 05, 2025)

Changelog

Bug fixes

• Exclude prebuilt workspaces from lifecycle executor to avoid overprovisioning prebuilds (#18858, 51e60b7) (@ssncferreira)
• Add RDP icon for modules and Desktop (#18737, d027a3f) (@matifali)
• Add Kiro icon for modules (#18885, 3c602b0) (@matifali)
• Add Kiro: protocol to external app whitelist for Kiro module (#18886, 33885af) (@app/blink-so)
• Sign coder binaries with the release key using GPG (#18774) (#18868, 5096582) (@jdomeracki-coder)
• Add image styles for kiro.svg (#18889, 0ead64f) (@matifali)

Compare: v2.24.1...v2.24.2

Container image

• docker pull ghcr.io/coder/coder:v2.24.2

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

Stable (since July 15, 2025)

Changelog

Bug fixes

• CLI: Handle nil unwrap errors when formatting to fix error messages when offline (#18821, a7f0dba) (@ethanndickson)
• Add RDP icon for modules and Desktop (#18738, 63155d2) (@matifali)
• sign coder binaries with the release key using GPG (#18867, 1c8ba51) (@jdomeracki-coder)

Compare: v2.23.3...v2.23.4

Container image

• docker pull ghcr.io/coder/coder:v2.23.4

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

Stable (since July 09, 2025)

Changelog

Bug fixes

• Handle paths with spaces when using coder config-ssh (#18778, 049feec) (@spikecurtis)

Compare: v2.23.2...v2.23.3

Container image

• docker pull ghcr.io/coder/coder:v2.23.3

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.