Skip to main content

Coder CVE-2026-46354

CRITICAL
Improper Verification of Cryptographic Signature (CWE-347)
2026-05-19 https://github.com/coder/coder GHSA-6x44-w3xg-hqqf
9.1
CVSS 3.1 · Vendor: https://github.com/coder/coder
Share

Severity by source

Vendor (https://github.com/coder/coder) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from Vendor (https://github.com/coder/coder) · only source for this CVE.

CVSS VectorVendor: https://github.com/coder/coder

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 19, 2026 - 20:30 vuln.today
Analysis Generated
May 19, 2026 - 20:30 vuln.today

DescriptionCVE.org

Summary

azureidentity.Validate() verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. {"vmId":"<target>"} and the forged vmId will be accepted returning the victim workspace agent's session token.

No authentication is required. The attacker only needs to know a target VM's vmId which is a UUIDv4. > that's a practical limitation which would typically require prior access to be exploited

Root Cause

In unpatched Coder releases the signature over the PKCS#7 content is not validated - only the signing certificate is checked.

Impact

An attacker on any Azure VM or with access to a publicly available Azure IMDS certificate from CT logs can:

  1. Steal an agent session token by sending a forged PKCS#7 envelope to POST /api/v2/workspaceagents/azure-instance-identity which is unauthenticated.
  2. With the stolen token access:
  • Git SSH private key via GET /workspaceagents/me/gitsshkey: push to repositories and impersonate the workspace owner.
  • OAuth access tokens via GET /workspaceagents/me/external-auth: GitHub, GitLab, and Bitbucket tokens in plaintext.
  • Workspace secrets via the agent manifest: environment variables, file paths, and API keys.

Attack Path Diagram

<img width="5588" height="4176" alt="PKCS7_diagram (1)" src="https://github.com/user-attachments/assets/74e88a89-a995-450d-87ab-6feed03579a5" />

Affected Versions

All versions of Coder v2 are affected.

Patches

Fixed in #25286

The fix was backported to all supported release lines:

Workarounds

If unable to patch we recommend immediately reconfiguring any Azure templates to use token authentication rather than azure-instance-identity until the patch is released and you are fully upgraded.

  1. Modify the coder_agent.auth value to be token.
  2. Add CODER_AGENT_TOKEN=${coder_agent.main.token} to the set of environment variables for the Coder Workspace Agent initialization script.

Recognition

We'd like to thank Ben Tran of calif.io and Anthropic’s Security Team (ANT-2026-22445) for independently disclosing this issue!

AnalysisAI

Unauthenticated agent token theft in Coder v2 (self-hosted developer workspace platform) stems from azureidentity.Validate() verifying the PKCS#7 signer's certificate chain but skipping signature verification of the signed content itself. Remote attackers who know a target VM's vmId (a UUIDv4) can forge a PKCS#7 envelope containing a legitimate Azure certificate alongside attacker-controlled content and POST it to the unauthenticated /api/v2/workspaceagents/azure-instance-identity endpoint to receive the victim workspace agent's session token, which then unlocks Git SSH keys, OAuth tokens for GitHub/GitLab/Bitbucket, and workspace secrets. No public exploit identified at time of analysis, but the vulnerability is vendor-confirmed via GHSA-6x44-w3xg-hqqf and a detailed root-cause analysis with attack-path diagram is published.

Technical ContextAI

Coder is an open-source self-hosted cloud development environment (pkg:go/github.com/coder/coder/v2) where workspace agents authenticate to the control plane. For Azure-hosted workspaces, agents present a PKCS#7-signed attestation from Azure Instance Metadata Service (IMDS) to bootstrap their session token. The flaw is a classic CWE-347 (Improper Verification of Cryptographic Signature): the original implementation called signer.Verify() on the certificate chain only, never validating that the PKCS#7 SignedData content was actually signed by the private key corresponding to the embedded certificate. The patch replaces go.mozilla.org/pkcs7 with github.com/smallstep/pkcs7 and uses VerifyWithChainAtTime, which performs both the cryptographic signature check over the content and the chain-of-trust check in a single call. Because any Azure IMDS certificate is reachable (it can be harvested from any Azure VM or pulled from Certificate Transparency logs), the cryptographic trust anchor effectively collapsed to attacker-controllable input.

RemediationAI

Vendor-released patches: upgrade to v2.33.3, v2.32.2, v2.31.12, v2.30.8, v2.29.13, or v2.24.5 depending on your release line (release notes linked from https://github.com/coder/coder/security/advisories/GHSA-6x44-w3xg-hqqf; underlying fix in PR https://github.com/coder/coder/pull/25286). If immediate upgrade is not possible, the vendor-recommended workaround is to reconfigure Azure templates away from Azure Instance Identity to token authentication by setting coder_agent.auth = "token" in the Terraform resource and injecting CODER_AGENT_TOKEN=${coder_agent.main.token} into the agent initialization script's environment; the side effect is that each agent now requires the control plane to provision and distribute a long-lived token, removing the automatic Azure-attested bootstrap and shifting token-rotation responsibility to operators. After upgrading, rotate any agent tokens, Git SSH keys, and OAuth tokens that may have been exposed prior to patching, since past exploitation would not leave obvious traces on the unauthenticated endpoint.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Share

CVE-2026-46354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy