Coder CVE-2026-55075
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Network OIDC flow (AV:N) with no Coder privileges (PR:N) or interaction, but AC:H because the attacker must control a matching unverified email and the victim must be unlinked; full account takeover gives C:H/I:H, no availability impact.
Primary rating from Vendor (https://github.com/coder/coder).
CVSS VectorVendor: https://github.com/coder/coder
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Summary
Two flaws in Coder's OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the email_verified claim was only enforced when present as a boolean false so an absent or non-boolean claim was treated as verified.
Impact
An attacker who could authenticate at the configured OIDC provider with an email matching a victim's Coder account could log in as that victim and gain full access to their workspaces, templates and resources. This required OIDC authentication, attacker control of a matching email at the IdP and a victim account not yet linked to a different IdP subject.
Patches
The fix restricts the email fallback to first-time and legacy linking and defaults email_verified to false when the claim is absent or of an unexpected type.
The fix was backported to all supported release lines:
Workarounds
Configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.
Resources
- Fix: #25712, #25713
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22450) for independently disclosing this issue!
AnalysisAI
Account takeover in Coder's OIDC login (versions before v2.34.2, v2.33.8, v2.32.7, and ESR v2.29.17) lets an attacker who controls a matching email address at the configured identity provider log in as a victim and seize their workspaces, templates and resources. Two chained flaws are responsible: email-based user matching silently linked accounts by email without verifying an existing IdP-subject link, and the email_verified claim was only honored when explicitly boolean false, so absent or malformed claims were treated as verified. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of: OIDC authentication enabled on the Coder deployment; the attacker being able to authenticate at the configured OIDC provider with an email address that matches a victim's Coder account (i.e., the IdP allows self-registration or otherwise lets the attacker obtain that email identity); and the victim's Coder account not yet being linked to a different IdP subject. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, 7.4) is internally consistent with the description: network-reachable, no privileges on Coder itself, no user interaction, high confidentiality and integrity impact via full account takeover, and high attack complexity because the attacker must satisfy several preconditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker learns the email address of a target Coder user and registers or controls that same email at the organization's OIDC provider (for example on an IdP that permits self-service signup without strict verification). The attacker completes a normal OIDC login flow; because Coder matches by email and treats the missing/malformed email_verified claim as verified, it links the session to the victim's existing, not-yet-IdP-bound Coder account, granting the attacker full access to the victim's workspaces, templates and resources. … |
| Remediation | Vendor-released patches are available: upgrade to Coder v2.34.2, v2.33.8, v2.32.7, or v2.29.17 (ESR) depending on your release line - the fix restricts the email fallback to first-time and legacy linking and defaults email_verified to false when the claim is absent or of an unexpected type. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Coder deployments and identify currently deployed versions; review identity provider audit logs for unusual authentication activity and suspicious account access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-9r87-mvcw-x35f