CVE-2026-55435
Received Received - Intake

Authentication Bypass via Unsuspended API Keys in Coder

Vulnerability report for CVE-2026-55435, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd/aibridgedserver`, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's unexpired token keeps working. Practical impact is limited to already-issued API keys of suspended users until those keys are deleted. Versions 2.32.7, 2.33.8, and 2.34.2 patch the issue. As a workaround, on suspension, delete the user's API keys via `DELETE /api/v2/users/{user}/keys`.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
coder coder to 2.32.7 (exc)
coder coder to 2.32.7 (inc)
coder coder to 2.33.8 (inc)
coder coder to 2.34.2 (inc)
coder coder From 2.33.0 (inc) to 2.33.8 (exc)
coder coder to 2.34.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Coder platform's AI Bridge proxy endpoints, which authenticate requests using API keys. The authentication process checks key format, expiry, secret, and whether the user is deleted or a system user, but it does not verify if the user account is suspended.

As a result, suspended users with unexpired API keys can continue to access the AI Bridge endpoints, even though their accounts are suspended. This means that suspension does not immediately revoke access if the API keys remain valid.

The issue affects versions starting from 2.30.0 up to versions prior to 2.32.7, 2.33.8, and 2.34.2, which include patches to fix this problem by rejecting non-active users during authorization.

A workaround is to manually delete the suspended user's API keys to prevent continued access.

Impact Analysis

The vulnerability allows suspended users to retain access to AI Bridge LLM proxy endpoints using their unexpired API keys. This can lead to unauthorized use of paid provider resources and invocation of MCP tools if enabled.

Because the API keys remain valid until they expire or are deleted, suspended users may continue to consume resources and potentially perform actions they should no longer be authorized to do.

The practical impact is limited to already-issued API keys of suspended users until those keys are deleted or expire.

Detection Guidance

This vulnerability involves suspended users retaining access via unexpired API keys because the system does not check if the user account is suspended during authorization. Detection involves identifying API keys belonging to suspended users that are still active.

A practical detection approach is to audit API keys issued to users and verify if any keys are active for users whose accounts are suspended. Since the vulnerability is related to API key usage, monitoring API calls to AI Bridge proxy endpoints and correlating them with user account status can help detect exploitation.

Commands to assist detection might include querying the user database or API key management system to list API keys for suspended users. For example, using the Coder API or CLI to list users and their keys, then filtering for suspended accounts with active keys.

  • Use the DELETE /api/v2/users/{user}/keys endpoint to manage keys, which implies you can GET or list keys similarly to detect active keys for suspended users.
  • Monitor logs for AI Bridge proxy endpoint access and correlate with user status to identify unauthorized access by suspended users.
Mitigation Strategies

The immediate mitigation step is to delete API keys of suspended users, as suspension alone does not revoke existing API keys.

This can be done by issuing a DELETE request to the API endpoint: DELETE /api/v2/users/{user}/keys for each suspended user.

Additionally, upgrading Coder to versions 2.32.7, 2.33.8, or 2.34.2 is strongly recommended, as these versions include patches that enforce active user checks during authorization, preventing suspended users from accessing AI Bridge proxy endpoints.

  • Manually delete API keys of suspended users using the DELETE /api/v2/users/{user}/keys API.
  • Upgrade Coder to version 2.32.7 or later (e.g., 2.33.8, 2.34.2) to apply the official patch that enforces user active status checks.
Compliance Impact

The vulnerability allows suspended users to retain access to AI Bridge proxy endpoints via unexpired API keys because the system does not check if an account is suspended during authorization. This could lead to unauthorized access to resources and potential misuse of paid provider resources.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the issue of suspended users retaining access could pose risks related to unauthorized access and data protection requirements common in these regulations.

Organizations relying on Coder versions affected by this vulnerability should consider the risk that suspended accounts might still access sensitive development environments or data, which could impact compliance with access control and user management policies required by standards like GDPR and HIPAA.

The vulnerability is mitigated in patched versions (2.32.7, 2.33.8, and 2.34.2) which enforce active user checks during authorization, and a workaround exists to delete API keys upon suspension to prevent continued access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55435. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart