Skip to main content

Coder CVE-2026-55076

HIGH
Improper Authentication (CWE-287)
2026-07-06 https://github.com/coder/coder GHSA-75vm-6w67-gwvp
7.4
CVSS 3.1 · Vendor: https://github.com/coder/coder
Share

Severity by source

Vendor (https://github.com/coder/coder) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.4 HIGH

Network OIDC flow with no Coder auth (PR:N) and no user interaction; AC:H because it depends on a non-conformant IdP and a pre-existing victim account; account takeover yields C:H/I:H, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/coder/coder).

CVSS VectorVendor: https://github.com/coder/coder

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 06, 2026 - 21:45 vuln.today
CVE Published
Jul 06, 2026 - 20:50 github-advisory
HIGH 7.4

DescriptionCVE.org

Summary

Coder's OIDC callback checked email_verified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean (for example the string "false") or omitted it, the assertion failed open and the email was treated as verified. Combined with an unconditional email-based account fallback, this enabled account takeover.

Impact

An attacker who registered a victim's email at a compatible IdP without verifying it could log in via OIDC and be matched to the victim's existing Coder account, receiving a session for that account. No prior authentication to Coder was required and the result was full account takeover.

Patches

The fix coerces email_verified across bool, string and numeric types (fail-closed) and blocks the email fallback when the matched user already has a different linked IdP subject.

The fix was backported to all supported release lines:

Release linePatched version
2.34v2.34.2
2.33v2.33.8
2.32v2.32.7
2.29 (ESR)v2.29.17

Workarounds

Ensure the IdP returns email_verified as a native JSON boolean. The email-fallback linking issue has no configuration workaround; upgrading is required.

Resources

  • Fix: #25712, #25713

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22444) for independently disclosing this issue!

AnalysisAI

Account takeover in Coder's OIDC login flow allows an unauthenticated remote attacker to hijack an existing user account by registering the victim's email at a compatible identity provider. A Go bool type assertion on the email_verified claim failed open when an IdP returned the claim as a non-boolean (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register victim email at compatible IdP
Delivery
Initiate OIDC login to Coder
Exploit
email_verified assertion fails open
Execution
Email fallback matches victim account
Persist
Receive session as victim
Impact
Full account takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) Coder is configured with OIDC SSO and the unconditional email-based account fallback is in effect; (2) the trusted/compatible identity provider returns the `email_verified` claim as a non-native-boolean value such as the string "false", or omits the claim entirely, causing the Go bool assertion to fail open; (3) the attacker can register the victim's email address at that IdP without actually verifying ownership; and (4) the victim already has an existing Coder account tied to that email. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, 7.4 High) is internally consistent with the described attack: network-reachable, no prior Coder authentication (PR:N), no victim interaction (UI:N), high confidentiality and integrity impact from full account takeover, and AC:H reflecting the meaningful preconditions (a compatible/non-conformant IdP, the email-fallback path, and a victim who already has an account). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a target Coder user's email address, then registers that same email at an OIDC identity provider Coder trusts (or one whose `email_verified` claim is emitted as a string or omitted) without completing email verification. The attacker initiates OIDC login to Coder; the callback treats the unverified email as verified and the email-fallback matches the session to the victim's existing account, granting the attacker full control of that account. …
Remediation Upgrade to a patched release for your line: v2.34.2 (2.34), v2.33.8 (2.33), v2.32.7 (2.32), or v2.29.17 (2.29 ESR) - the fix coerces `email_verified` across bool, string and numeric types with fail-closed semantics and blocks the email fallback when the matched user already has a different linked IdP subject. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Coder deployments in your environment and cross-reference versions against Coder release notes to determine vulnerability status. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55076 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy