CVE-2026-55076
Received Received - Intake

Authentication Bypass in Coder via OIDC email_verified Handling

Vulnerability report for CVE-2026-55076, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked `email_verified` with a direct Go `bool` type assertion. When an IdP returned the claim as a non-boolean (for example the string `"false"`) or omitted it, the assertion failed open and the email was treated as verified. Combined with an unconditional email-based account fallback, this enabled account takeover. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 coerces `email_verified` across bool, string and numeric types (fail-closed) and blocks the email fallback when the matched user already has a different linked IdP subject. As a workaround, ensure the IdP returns `email_verified` as a native JSON boolean. The email-fallback linking issue has no configuration workaround; upgrading is required.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coder coder to 2.34.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-704 The product does not correctly convert an object, resource, or structure from one type to a different type.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Coder's OIDC callback prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2. The issue arises because the system checked the `email_verified` claim using a direct Go boolean type assertion. If the Identity Provider (IdP) returned the claim as a non-boolean value (such as the string "false") or omitted it, the assertion failed open, causing the email to be treated as verified even when it was not.

Combined with an unconditional email-based account fallback, this flaw allowed attackers to take over accounts. The fix involves coercing the `email_verified` claim across boolean, string, and numeric types in a fail-closed manner and blocking the email fallback if the matched user already has a different linked IdP subject.

As a temporary workaround, the IdP must return `email_verified` as a native JSON boolean, but the email-fallback linking issue requires upgrading to a fixed version.

Impact Analysis

This vulnerability can lead to account takeover because the system may incorrectly treat an unverified email as verified. Attackers can exploit this by bypassing proper verification checks and gaining unauthorized access to user accounts.

Such unauthorized access can compromise confidentiality and integrity of user data and resources within the Coder environment.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Coder to one of the fixed versions: 2.29.7, 2.32.7, 2.33.8, or 2.34.2.

As a workaround before upgrading, ensure that your Identity Provider (IdP) returns the 'email_verified' claim as a native JSON boolean value.

Note that the email-fallback linking issue has no configuration workaround, so upgrading is required to fully address the vulnerability.

Compliance Impact

This vulnerability allows an attacker to bypass email verification and potentially take over user accounts due to improper handling of the email_verified claim in OIDC callbacks. Such unauthorized account takeover risks compromising sensitive user data.

Because the vulnerability can lead to unauthorized access to user accounts and sensitive information, it may negatively impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict access controls and protection of personal data.

Mitigating this vulnerability by upgrading to fixed versions or ensuring proper IdP configuration is essential to maintain compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55076. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart