CVE-2026-55075
Received Received - Intake

Authentication Bypass in Coder via OIDC Flaws

Vulnerability report for CVE-2026-55075, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the `email_verified` claim was only enforced when present as a boolean `false` so an absent or non-boolean claim was treated as verified. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 restricts the email fallback to first-time and legacy linking and defaults `email_verified` to false when the claim is absent or of an unexpected type. As a workaround, configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coder coder to 2.34.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-289 The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Coder, a platform that allows organizations to provision remote development environments via Terraform. Prior to certain fixed versions, there were two flaws in Coder's OIDC login process that could lead to account takeover.

First, the system would fall back to linking user accounts by email without verifying if the email was already linked to a different identity provider (IdP) subject. Second, the `email_verified` claim was only enforced when it was explicitly present as a boolean false; if the claim was absent or not a boolean, it was treated as verified.

These issues allowed attackers to bypass proper verification and potentially take over accounts. The fix involved restricting the email fallback linking to first-time and legacy linking only, and defaulting the `email_verified` claim to false when it is missing or of an unexpected type.

As a workaround, it is recommended to configure the OIDC provider to disallow self-registration or require email verification before issuing tokens.

Compliance Impact

This vulnerability allows account takeover through flaws in the OIDC login process, potentially leading to unauthorized access to user accounts and sensitive data.

Such unauthorized access could impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on user authentication and protection of personal and sensitive information.

Specifically, failure to properly verify email claims and improper linking of user identities could result in data breaches or unauthorized data access, which are violations under these regulations.

Mitigations such as configuring the OIDC provider to disallow self-registration or require email verification before issuing tokens can help reduce compliance risks.

Impact Analysis

This vulnerability can lead to account takeover, meaning an attacker could gain unauthorized access to user accounts within the Coder platform.

Such unauthorized access could compromise sensitive development environments and code, potentially leading to data breaches, unauthorized code changes, or exposure of proprietary information.

Because the vulnerability allows bypassing of email verification and identity provider checks, it increases the risk of impersonation and unauthorized actions within the affected systems.

Mitigation Strategies

To mitigate this vulnerability, upgrade Coder to versions 2.29.7, 2.32.7, 2.33.8, or 2.34.2 where the issue is fixed.

As a workaround, configure your OIDC provider to disallow self-registration or require email verification before issuing tokens.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55075. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart