Coder CVE-2026-55076
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Network OIDC flow with no Coder auth (PR:N) and no user interaction; AC:H because it depends on a non-conformant IdP and a pre-existing victim account; account takeover yields C:H/I:H, no availability impact.
Primary rating from Vendor (https://github.com/coder/coder).
CVSS VectorVendor: https://github.com/coder/coder
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Summary
Coder's OIDC callback checked email_verified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean (for example the string "false") or omitted it, the assertion failed open and the email was treated as verified. Combined with an unconditional email-based account fallback, this enabled account takeover.
Impact
An attacker who registered a victim's email at a compatible IdP without verifying it could log in via OIDC and be matched to the victim's existing Coder account, receiving a session for that account. No prior authentication to Coder was required and the result was full account takeover.
Patches
The fix coerces email_verified across bool, string and numeric types (fail-closed) and blocks the email fallback when the matched user already has a different linked IdP subject.
The fix was backported to all supported release lines:
Workarounds
Ensure the IdP returns email_verified as a native JSON boolean. The email-fallback linking issue has no configuration workaround; upgrading is required.
Resources
- Fix: #25712, #25713
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22444) for independently disclosing this issue!
AnalysisAI
Account takeover in Coder's OIDC login flow allows an unauthenticated remote attacker to hijack an existing user account by registering the victim's email at a compatible identity provider. A Go bool type assertion on the email_verified claim failed open when an IdP returned the claim as a non-boolean (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following: (1) Coder is configured with OIDC SSO and the unconditional email-based account fallback is in effect; (2) the trusted/compatible identity provider returns the `email_verified` claim as a non-native-boolean value such as the string "false", or omits the claim entirely, causing the Go bool assertion to fail open; (3) the attacker can register the victim's email address at that IdP without actually verifying ownership; and (4) the victim already has an existing Coder account tied to that email. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, 7.4 High) is internally consistent with the described attack: network-reachable, no prior Coder authentication (PR:N), no victim interaction (UI:N), high confidentiality and integrity impact from full account takeover, and AC:H reflecting the meaningful preconditions (a compatible/non-conformant IdP, the email-fallback path, and a victim who already has an account). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a target Coder user's email address, then registers that same email at an OIDC identity provider Coder trusts (or one whose `email_verified` claim is emitted as a string or omitted) without completing email verification. The attacker initiates OIDC login to Coder; the callback treats the unverified email as verified and the email-fallback matches the session to the victim's existing account, granting the attacker full control of that account. … |
| Remediation | Upgrade to a patched release for your line: v2.34.2 (2.34), v2.33.8 (2.33), v2.32.7 (2.32), or v2.29.17 (2.29 ESR) - the fix coerces `email_verified` across bool, string and numeric types with fail-closed semantics and blocks the email fallback when the matched user already has a different linked IdP subject. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Coder deployments in your environment and cross-reference versions against Coder release notes to determine vulnerability status. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-75vm-6w67-gwvp