Skip to main content

Coder CVE-2026-55075

HIGH
Improper Authentication (CWE-287)
2026-07-06 https://github.com/coder/coder GHSA-9r87-mvcw-x35f
7.4
CVSS 3.1 · Vendor: https://github.com/coder/coder
Share

Severity by source

Vendor (https://github.com/coder/coder) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.4 HIGH

Network OIDC flow (AV:N) with no Coder privileges (PR:N) or interaction, but AC:H because the attacker must control a matching unverified email and the victim must be unlinked; full account takeover gives C:H/I:H, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/coder/coder).

CVSS VectorVendor: https://github.com/coder/coder

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 06, 2026 - 21:47 vuln.today
CVE Published
Jul 06, 2026 - 20:52 github-advisory
HIGH 7.4

DescriptionCVE.org

Summary

Two flaws in Coder's OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the email_verified claim was only enforced when present as a boolean false so an absent or non-boolean claim was treated as verified.

Impact

An attacker who could authenticate at the configured OIDC provider with an email matching a victim's Coder account could log in as that victim and gain full access to their workspaces, templates and resources. This required OIDC authentication, attacker control of a matching email at the IdP and a victim account not yet linked to a different IdP subject.

Patches

The fix restricts the email fallback to first-time and legacy linking and defaults email_verified to false when the claim is absent or of an unexpected type.

The fix was backported to all supported release lines:

Release linePatched version
2.34v2.34.2
2.33v2.33.8
2.32v2.32.7
2.29 (ESR)v2.29.17

Workarounds

Configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.

Resources

  • Fix: #25712, #25713

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22450) for independently disclosing this issue!

AnalysisAI

Account takeover in Coder's OIDC login (versions before v2.34.2, v2.33.8, v2.32.7, and ESR v2.29.17) lets an attacker who controls a matching email address at the configured identity provider log in as a victim and seize their workspaces, templates and resources. Two chained flaws are responsible: email-based user matching silently linked accounts by email without verifying an existing IdP-subject link, and the email_verified claim was only honored when explicitly boolean false, so absent or malformed claims were treated as verified. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify victim's Coder account email
Delivery
Register/control matching email at OIDC provider
Exploit
Complete OIDC login to Coder
Execution
Bypass email_verified and subject-link checks
Persist
Session linked to victim account
Impact
Full access to victim workspaces and templates

Vulnerability AssessmentAI

Exploitation Exploitation requires all of: OIDC authentication enabled on the Coder deployment; the attacker being able to authenticate at the configured OIDC provider with an email address that matches a victim's Coder account (i.e., the IdP allows self-registration or otherwise lets the attacker obtain that email identity); and the victim's Coder account not yet being linked to a different IdP subject. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, 7.4) is internally consistent with the description: network-reachable, no privileges on Coder itself, no user interaction, high confidentiality and integrity impact via full account takeover, and high attack complexity because the attacker must satisfy several preconditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker learns the email address of a target Coder user and registers or controls that same email at the organization's OIDC provider (for example on an IdP that permits self-service signup without strict verification). The attacker completes a normal OIDC login flow; because Coder matches by email and treats the missing/malformed email_verified claim as verified, it links the session to the victim's existing, not-yet-IdP-bound Coder account, granting the attacker full access to the victim's workspaces, templates and resources. …
Remediation Vendor-released patches are available: upgrade to Coder v2.34.2, v2.33.8, v2.32.7, or v2.29.17 (ESR) depending on your release line - the fix restricts the email fallback to first-time and legacy linking and defaults email_verified to false when the claim is absent or of an unexpected type. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Coder deployments and identify currently deployed versions; review identity provider audit logs for unusual authentication activity and suspicious account access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55075 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy