Coder CVE-2026-46354
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (https://github.com/coder/coder) · only source for this CVE.
CVSS VectorVendor: https://github.com/coder/coder
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Summary
azureidentity.Validate() verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. {"vmId":"<target>"} and the forged vmId will be accepted returning the victim workspace agent's session token.
No authentication is required. The attacker only needs to know a target VM's vmId which is a UUIDv4. > that's a practical limitation which would typically require prior access to be exploited
Root Cause
In unpatched Coder releases the signature over the PKCS#7 content is not validated - only the signing certificate is checked.
Impact
An attacker on any Azure VM or with access to a publicly available Azure IMDS certificate from CT logs can:
- Steal an agent session token by sending a forged PKCS#7 envelope to
POST /api/v2/workspaceagents/azure-instance-identitywhich is unauthenticated. - With the stolen token access:
- Git SSH private key via
GET /workspaceagents/me/gitsshkey: push to repositories and impersonate the workspace owner. - OAuth access tokens via
GET /workspaceagents/me/external-auth: GitHub, GitLab, and Bitbucket tokens in plaintext. - Workspace secrets via the agent manifest: environment variables, file paths, and API keys.
Attack Path Diagram
<img width="5588" height="4176" alt="PKCS7_diagram (1)" src="https://github.com/user-attachments/assets/74e88a89-a995-450d-87ab-6feed03579a5" />
Affected Versions
All versions of Coder v2 are affected.
Patches
Fixed in #25286
The fix was backported to all supported release lines:
Workarounds
If unable to patch we recommend immediately reconfiguring any Azure templates to use token authentication rather than azure-instance-identity until the patch is released and you are fully upgraded.
- Modify the
coder_agent.authvalue to betoken. - Add
CODER_AGENT_TOKEN=${coder_agent.main.token}to the set of environment variables for the Coder Workspace Agent initialization script.
Recognition
We'd like to thank Ben Tran of calif.io and Anthropic’s Security Team (ANT-2026-22445) for independently disclosing this issue!
AnalysisAI
Unauthenticated agent token theft in Coder v2 (self-hosted developer workspace platform) stems from azureidentity.Validate() verifying the PKCS#7 signer's certificate chain but skipping signature verification of the signed content itself. Remote attackers who know a target VM's vmId (a UUIDv4) can forge a PKCS#7 envelope containing a legitimate Azure certificate alongside attacker-controlled content and POST it to the unauthenticated /api/v2/workspaceagents/azure-instance-identity endpoint to receive the victim workspace agent's session token, which then unlocks Git SSH keys, OAuth tokens for GitHub/GitLab/Bitbucket, and workspace secrets. No public exploit identified at time of analysis, but the vulnerability is vendor-confirmed via GHSA-6x44-w3xg-hqqf and a detailed root-cause analysis with attack-path diagram is published.
Technical ContextAI
Coder is an open-source self-hosted cloud development environment (pkg:go/github.com/coder/coder/v2) where workspace agents authenticate to the control plane. For Azure-hosted workspaces, agents present a PKCS#7-signed attestation from Azure Instance Metadata Service (IMDS) to bootstrap their session token. The flaw is a classic CWE-347 (Improper Verification of Cryptographic Signature): the original implementation called signer.Verify() on the certificate chain only, never validating that the PKCS#7 SignedData content was actually signed by the private key corresponding to the embedded certificate. The patch replaces go.mozilla.org/pkcs7 with github.com/smallstep/pkcs7 and uses VerifyWithChainAtTime, which performs both the cryptographic signature check over the content and the chain-of-trust check in a single call. Because any Azure IMDS certificate is reachable (it can be harvested from any Azure VM or pulled from Certificate Transparency logs), the cryptographic trust anchor effectively collapsed to attacker-controllable input.
RemediationAI
Vendor-released patches: upgrade to v2.33.3, v2.32.2, v2.31.12, v2.30.8, v2.29.13, or v2.24.5 depending on your release line (release notes linked from https://github.com/coder/coder/security/advisories/GHSA-6x44-w3xg-hqqf; underlying fix in PR https://github.com/coder/coder/pull/25286). If immediate upgrade is not possible, the vendor-recommended workaround is to reconfigure Azure templates away from Azure Instance Identity to token authentication by setting coder_agent.auth = "token" in the Terraform resource and injecting CODER_AGENT_TOKEN=${coder_agent.main.token} into the agent initialization script's environment; the side effect is that each agent now requires the control plane to provision and distribute a long-lived token, removing the automatic Azure-attested bootstrap and shifting token-rotation responsibility to operators. After upgrading, rotate any agent tokens, Git SSH keys, and OAuth tokens that may have been exposed prior to patching, since past exploitation would not leave obvious traces on the unauthenticated endpoint.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-6x44-w3xg-hqqf