Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
On-path MITM prerequisite makes AC:H; no auth or user interaction (PR:N/UI:N); intercepted tokens/keys give C:H and I:H, with no availability impact (A:N).
Primary rating from Vendor (https://github.com/coder/coder).
CVSS VectorVendor: https://github.com/coder/coder
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Summary
The AI Bridge Proxy (aibridgeproxyd) created a goproxy server whose default transport set InsecureSkipVerify: true and only assigned a secure transport when an upstream proxy was configured. In the default configuration (no upstream proxy), outbound HTTPS to the Coder access URL accepted any TLS certificate.
> Note: Practical exploitation requires an on-path (man-in-the-middle) position between the AI Bridge Proxy and the Coder server. Deployments where they are co-located over loopback are effectively unaffected.
Impact
An attacker positioned between the proxy and the Coder server, via ARP spoofing, DNS poisoning or control of proxy environment variables, could intercept injected Coder session tokens, user-supplied provider API keys (BYOK) and full request and response bodies including prompts and completions. The default transport also honored HTTP_PROXY and HTTPS_PROXY, allowing environment-based traffic redirection.
Patches
The fix applies the secure transport (TLS 1.2 or higher using system root CAs) unconditionally. The AI Bridge Proxy was introduced in v2.30.0. Earlier release lines including the v2.29 ESR line are not affected.
The fix is available in the following releases:
Workarounds
Ensure the Coder access URL uses a trusted certificate and secure the network path between the AI Bridge Proxy and the Coder server (for example, loopback or mTLS).
Resources
- Fix: #26131
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22455) for independently disclosing this issue!
AnalysisAI
Man-in-the-middle interception affects the Coder AI Bridge Proxy (aibridgeproxyd), introduced in Coder v2.30.0, where the goproxy default transport set InsecureSkipVerify:true and only used a secure transport when an upstream proxy was configured. In the default no-upstream-proxy configuration, outbound HTTPS to the Coder access URL accepted any TLS certificate, letting an on-path attacker decrypt traffic and steal Coder session tokens, BYOK provider API keys, and full prompt/completion bodies. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the AI Bridge Proxy (aibridgeproxyd) running in its default configuration with NO upstream proxy configured - this is the exact condition that leaves InsecureSkipVerify:true active on the outbound transport to the Coder access URL. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mostly consistent and point to a real-but-conditional High-severity issue rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who gains a network-adjacent position on the segment between an AI Bridge Proxy and the Coder server - for instance via ARP spoofing on a shared LAN or by poisoning DNS resolution for the access URL - presents a rogue TLS certificate that the default proxy transport accepts without validation. They then transparently proxy the HTTPS session, capturing injected Coder session tokens, user-supplied provider API keys, and the full plaintext of AI prompts and completions. … |
| Remediation | Upgrade to a fixed release, which applies the secure transport (TLS 1.2+ validated against system root CAs) unconditionally: Vendor-released patch v2.34.2 (https://github.com/coder/coder/releases/tag/v2.34.2) for the 2.34 line, v2.33.8 for the 2.33 line, or v2.32.7 for the 2.32 line; the underlying fix is PR #26131 (https://github.com/coder/coder/pull/26131). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Coder instances running v2.30.0 or later and determine if they operate without an upstream proxy. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42149
GHSA-84rm-42xw-mx52