Skip to main content

Coder AI Bridge CVE-2026-55435

| EUVDEUVD-2026-42071 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-06 https://github.com/coder/coder GHSA-wqxv-w64v-5wh6
5.4
CVSS 3.1 · Vendor: https://github.com/coder/coder
Share

Severity by source

Vendor (https://github.com/coder/coder) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Valid API key required (PR:L, AV:N); impact limited to LLM proxy access and MCP tool invocation with no availability or scope-change effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/coder/coder).

CVSS VectorVendor: https://github.com/coder/coder

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 22:39 vuln.today

DescriptionCVE.org

Summary

AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's unexpired token keeps working.

> Note: Practical impact is limited to already-issued API keys of suspended users until those keys are deleted.

Impact

A suspended user with a previously issued long-lived token could continue calling AI Bridge LLM proxy endpoints, consuming paid provider resources billed to the deployment and, if injected MCP tools are enabled, invoking those tools. Access persists until the token expires, which may be months after suspension.

Patches

The fix makes AI Bridge authorization reject non-active users like the standard API key middleware. AI Bridge was introduced in v2.30.0. The v2.29 ESR line is not affected.

The fix is available in the following releases:

Release linePatched version
2.34v2.34.2
2.33v2.33.8
2.32v2.32.7

Workarounds

On suspension, delete the user's API keys via DELETE /api/v2/users/{user}/keys.

Resources

  • Fix: #26173

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22446) for independently disclosing this issue!

AnalysisAI

Incorrect authorization in Coder's AI Bridge proxy (introduced in v2.30.0) permits suspended users to continue accessing LLM proxy endpoints using previously issued, unexpired API keys. The Server.IsAuthorized function in coderd/aibridgeserver validates key format, expiry, secret, and deleted/system-user status but omits the active/suspended status check present in the standard API key middleware, creating a divergence that survives indefinitely until tokens expire or are manually deleted. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker obtains long-lived API key prior to account suspension
Delivery
Admin suspends user account
Exploit
Standard API middleware blocks access to other Coder endpoints
Execution
AI Bridge IsAuthorized skips suspension status check
Persist
Attacker sends authenticated requests to LLM proxy endpoints
Impact
Organization incurs unauthorized LLM provider billing charges

Vulnerability AssessmentAI

Exploitation Three conditions must be simultaneously true: (1) the Coder deployment runs v2.30.0 or later with AI Bridge enabled - deployments on v2.29 ESR or older are not affected; (2) the attacker holds a previously issued, unexpired API key for their now-suspended account - short-lived tokens reduce the exploitable window proportionally; (3) the attacker knows or can infer the AI Bridge proxy endpoint URL. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.4 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) accurately reflects the bounded nature of this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer whose Coder account is suspended during offboarding retains a long-lived API token issued prior to suspension. Because the AI Bridge proxy does not check suspension status, the developer can continue sending requests to LLM proxy endpoints, consuming cloud provider credits billed to the organization; if MCP tools are configured, the developer can also invoke those tools with their pre-suspension permission scope until the token's expiry date - which may be months away. …
Remediation Upgrade to v2.34.2, v2.33.8, or v2.32.7 depending on the active release line; these versions align AI Bridge authorization with the standard API key middleware by rejecting non-active users. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55435 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy