CVE-2026-46354
Received Received - Intake

Authentication Bypass in Coder via Azure Certificate Spoofing

Vulnerability report for CVE-2026-46354, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, `azureidentity.Validate()` verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. `{"vmId":"<target>"}` and the forged `vmId` will be accepted returning the victim workspace agent's session token. No authentication is required. The attacker only needs to know a target VM's `vmId` which is a `UUIDv4`. That's a practical limitation which would typically require prior access to be exploited. Versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 patch the issue. As a workaround, reconfigure any Azure templates to use token authentication rather than `azure-instance-identity`.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Coder's remote development environment provisioning via Terraform in certain versions before 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3. The function azureidentity.Validate() checks that the PKCS#7 signer certificate chains to a trusted Azure CA but fails to verify the PKCS#7 signature itself.

An attacker can exploit this by embedding a legitimate Azure certificate alongside arbitrary content, such as a forged vmId, which is accepted by the system. This allows the attacker to obtain the victim workspace agent's session token without any authentication.

The attacker only needs to know the target VM's vmId, which is a UUIDv4, making exploitation practically limited to those with prior access or knowledge.

The issue is patched in versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3. A workaround is to reconfigure Azure templates to use token authentication instead of azure-instance-identity.

Impact Analysis

This vulnerability can lead to unauthorized access to a victim's workspace agent session token, allowing an attacker to impersonate the victim's session.

Since no authentication is required to exploit this, an attacker who knows a target VM's vmId can gain access, potentially leading to unauthorized actions within the development environment.

The impact includes compromise of confidentiality and integrity of the affected system, as indicated by the CVSS score of 9.1 with high confidentiality and integrity impact.

Mitigation Strategies

To mitigate this vulnerability, update Coder to one of the patched versions: 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, or 2.33.3.

As a workaround, reconfigure any Azure templates to use token authentication instead of azure-instance-identity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46354. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart