Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Valid API key required (PR:L, AV:N); impact limited to LLM proxy access and MCP tool invocation with no availability or scope-change effect.
Primary rating from Vendor (https://github.com/coder/coder).
CVSS VectorVendor: https://github.com/coder/coder
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Summary
AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's unexpired token keeps working.
> Note: Practical impact is limited to already-issued API keys of suspended users until those keys are deleted.
Impact
A suspended user with a previously issued long-lived token could continue calling AI Bridge LLM proxy endpoints, consuming paid provider resources billed to the deployment and, if injected MCP tools are enabled, invoking those tools. Access persists until the token expires, which may be months after suspension.
Patches
The fix makes AI Bridge authorization reject non-active users like the standard API key middleware. AI Bridge was introduced in v2.30.0. The v2.29 ESR line is not affected.
The fix is available in the following releases:
Workarounds
On suspension, delete the user's API keys via DELETE /api/v2/users/{user}/keys.
Resources
- Fix: #26173
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22446) for independently disclosing this issue!
AnalysisAI
Incorrect authorization in Coder's AI Bridge proxy (introduced in v2.30.0) permits suspended users to continue accessing LLM proxy endpoints using previously issued, unexpired API keys. The Server.IsAuthorized function in coderd/aibridgeserver validates key format, expiry, secret, and deleted/system-user status but omits the active/suspended status check present in the standard API key middleware, creating a divergence that survives indefinitely until tokens expire or are manually deleted. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three conditions must be simultaneously true: (1) the Coder deployment runs v2.30.0 or later with AI Bridge enabled - deployments on v2.29 ESR or older are not affected; (2) the attacker holds a previously issued, unexpired API key for their now-suspended account - short-lived tokens reduce the exploitable window proportionally; (3) the attacker knows or can infer the AI Bridge proxy endpoint URL. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.4 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) accurately reflects the bounded nature of this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer whose Coder account is suspended during offboarding retains a long-lived API token issued prior to suspension. Because the AI Bridge proxy does not check suspension status, the developer can continue sending requests to LLM proxy endpoints, consuming cloud provider credits billed to the organization; if MCP tools are configured, the developer can also invoke those tools with their pre-suspension permission scope until the token's expiry date - which may be months away. … |
| Remediation | Upgrade to v2.34.2, v2.33.8, or v2.32.7 depending on the active release line; these versions align AI Bridge authorization with the standard API key middleware by rejecting non-active users. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42071
GHSA-wqxv-w64v-5wh6