Search criteria
Related vulnerabilities
GHSA-686C-7VGV-V3FX
Vulnerability from github – Published: 2026-05-19 19:53 – Updated: 2026-05-19 19:53
VLAI
Summary
Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint
Details
Summary
Unauthenticated semi-blind Server-Side Request Forgery (SSRF) via the Azure instance identity endpoint (POST /api/v2/workspaceagents/azure-instance-identity). An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submitting a crafted PKCS#7 signature. The server does not return the target's response body, but error messages in the API response reveal whether the target is reachable and what type of failure occurred.
Details
The POST /api/v2/workspaceagents/azure-instance-identity endpoint accepts a PKCS#7 signature without authentication. During certificate chain verification, azureidentity.Validate() iterates over the signer certificate's IssuingCertificateURL extension and fetches each URL using http.DefaultClient with no host restriction, no private-IP blocking, and no response-size limit.
An attacker crafts a self-signed certificate whose Common Name matches *.metadata.azure.com (passing the allowedSigners regex) and whose IssuingCertificateURL points to an attacker-chosen target. The server fetches that URL and feeds the response body into x509.ParseCertificate. The parsed result is discarded, but the wrapped error string is returned verbatim in the JSON response via Detail: err.Error(). Connection-level errors ("connection refused", "i/o timeout", DNS failures) and certificate-parse errors give the attacker enough signal to infer host reachability and port state without seeing the actual response content.
Root causes:
- No allowlist on
IssuingCertificateURLhosts. Any URL was accepted. http.DefaultClientwas used. It follows redirects and connects to private, link-local, and loopback addresses.- Unbounded
io.ReadAllon the response body (memory exhaustion vector). - Raw
err.Error()was returned in the JSON response, leaking internal HTTP client errors to the caller.
Impact
This is a semi-blind SSRF: the server makes the outbound request but the HTTP response body is consumed by x509.ParseCertificate and never returned to the attacker.
- Internal network reconnaissance. The attacker can map internal hosts and ports by observing error differentiation in the API response: "connection refused" (port closed), "i/o timeout" (host unreachable or firewalled), DNS failure (host does not exist), or certificate-parse error (port open and responding). This enables systematic scanning of the internal network from the Coder server's vantage point.
- Requests to sensitive endpoints. The server can be directed to hit cloud metadata services (e.g.
http://169.254.169.254/), internal admin interfaces, or other services. The attacker cannot read the response content, but the request itself may have side effects depending on the target. - Error-based information disclosure. Wrapped Go HTTP client errors in the
Detailfield expose internal hostnames, IP addresses, port numbers, and network topology details. - Memory exhaustion. The unbounded
io.ReadAllon the response body allows an attacker to pointIssuingCertificateURLat a large resource, forcing the server to buffer it entirely in memory.
Patches
Fixed in #25274 (commit 57b11d405):
The fix was backported to all supported release lines:
| Release line | Patched version |
|---|---|
| 2.33 | v2.33.3 |
| 2.32 | v2.32.2 |
| 2.31 | v2.31.12 |
| 2.30 | v2.30.8 |
| 2.29 | v2.29.13 |
| 2.24 (ESR) | v2.24.5 |
Workarounds
If the Azure identity-auth mechanism is not being used then restrict access to the corresponding endpoint (/api/v2/workspaceagents/azure-instance-identity) using ingress firewall and/or proxy ACLs.
Recognition
We'd like to thank Ben Tran of calif.io and Anthropic's Security Team (ANT-2026-22447) for independently disclosing this issue!
Severity
6.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.33.0-rc.0"
},
{
"fixed": "2.33.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.32.0-rc.0"
},
{
"fixed": "2.32.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.31.0"
},
{
"fixed": "2.31.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.30.0"
},
{
"fixed": "2.30.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.29.0"
},
{
"fixed": "2.29.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.24.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.27.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45796"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T19:53:51Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nUnauthenticated semi-blind Server-Side Request Forgery (SSRF) via the Azure instance identity endpoint (`POST /api/v2/workspaceagents/azure-instance-identity`). An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submitting a crafted PKCS#7 signature. The server does not return the target\u0027s response body, but error messages in the API response reveal whether the target is reachable and what type of failure occurred.\n\n## Details\n\nThe `POST /api/v2/workspaceagents/azure-instance-identity` endpoint accepts a PKCS#7 signature without authentication. During certificate chain verification, [`azureidentity.Validate()`](https://github.com/coder/coder/blob/aa0e288b88/coderd/azureidentity/azureidentity.go#L83-L88) iterates over the signer certificate\u0027s `IssuingCertificateURL` extension and fetches each URL using `http.DefaultClient` with no host restriction, no private-IP blocking, and no response-size limit.\n\nAn attacker crafts a self-signed certificate whose Common Name matches `*.metadata.azure.com` (passing the `allowedSigners` regex) and whose `IssuingCertificateURL` points to an attacker-chosen target. The server fetches that URL and feeds the response body into `x509.ParseCertificate`. The parsed result is discarded, but the wrapped error string is returned verbatim in the JSON response via `Detail: err.Error()`. Connection-level errors (\"connection refused\", \"i/o timeout\", DNS failures) and certificate-parse errors give the attacker enough signal to infer host reachability and port state without seeing the actual response content.\n\n**Root causes:**\n\n1. No allowlist on `IssuingCertificateURL` hosts. Any URL was accepted.\n2. `http.DefaultClient` was used. It follows redirects and connects to private, link-local, and loopback addresses.\n3. Unbounded `io.ReadAll` on the response body (memory exhaustion vector).\n4. Raw `err.Error()` was returned in the JSON response, leaking internal HTTP client errors to the caller.\n\n## Impact\n\nThis is a semi-blind SSRF: the server makes the outbound request but the HTTP response body is consumed by `x509.ParseCertificate` and never returned to the attacker.\n\n- **Internal network reconnaissance.** The attacker can map internal hosts and ports by observing error differentiation in the API response: \"connection refused\" (port closed), \"i/o timeout\" (host unreachable or firewalled), DNS failure (host does not exist), or certificate-parse error (port open and responding). This enables systematic scanning of the internal network from the Coder server\u0027s vantage point.\n- **Requests to sensitive endpoints.** The server can be directed to hit cloud metadata services (e.g. `http://169.254.169.254/`), internal admin interfaces, or other services. The attacker cannot read the response content, but the request itself may have side effects depending on the target.\n- **Error-based information disclosure.** Wrapped Go HTTP client errors in the `Detail` field expose internal hostnames, IP addresses, port numbers, and network topology details.\n- **Memory exhaustion.** The unbounded `io.ReadAll` on the response body allows an attacker to point `IssuingCertificateURL` at a large resource, forcing the server to buffer it entirely in memory.\n\n## Patches\n\nFixed in [#25274](https://github.com/coder/coder/pull/25274) (commit [`57b11d405`](https://github.com/coder/coder/commit/57b11d405f17492aa789d4b9ff33366f961a37f8)):\n\nThe fix was backported to all supported release lines:\n\n| Release line | Patched version |\n|---|---|\n| 2.33 | [v2.33.3](https://github.com/coder/coder/releases/tag/v2.33.3) |\n| 2.32 | [v2.32.2](https://github.com/coder/coder/releases/tag/v2.32.2) |\n| 2.31 | [v2.31.12](https://github.com/coder/coder/releases/tag/v2.31.12) |\n| 2.30 | [v2.30.8](https://github.com/coder/coder/releases/tag/v2.30.8) |\n| 2.29 | [v2.29.13](https://github.com/coder/coder/releases/tag/v2.29.13) |\n| 2.24 (ESR) | [v2.24.5](https://github.com/coder/coder/releases/tag/v2.24.5) |\n\n## Workarounds\n\nIf the Azure identity-auth mechanism is not being used then restrict access to the corresponding endpoint (`/api/v2/workspaceagents/azure-instance-identity`) using ingress firewall and/or proxy ACLs.\n\n### Recognition\n\nWe\u0027d like to thank [Ben Tran](https://github.com/bencalif) of [calif.io](http://calif.io/) and Anthropic\u0027s Security Team (`ANT-2026-22447`) for independently disclosing this issue!",
"id": "GHSA-686c-7vgv-v3fx",
"modified": "2026-05-19T19:53:51Z",
"published": "2026-05-19T19:53:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coder/coder/security/advisories/GHSA-686c-7vgv-v3fx"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/pull/25274"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/commit/57b11d405f17492aa789d4b9ff33366f961a37f8"
},
{
"type": "PACKAGE",
"url": "https://github.com/coder/coder"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.24.5"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.29.13"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.30.8"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.31.12"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.32.2"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.33.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint"
}