GHSA-6X44-W3XG-HQQF
Vulnerability from github – Published: 2026-05-19 20:04 – Updated: 2026-05-19 20:04
VLAI
Summary
Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft
Details
Summary
azureidentity.Validate() verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. {"vmId":"<target>"} and the forged vmId will be accepted returning the victim workspace agent's session token.
No authentication is required. The attacker only needs to know a target VM's vmId which is a UUIDv4.
that's a practical limitation which would typically require prior access to be exploited
Root Cause
In unpatched Coder releases the signature over the PKCS#7 content is not validated - only the signing certificate is checked.
Impact
An attacker on any Azure VM or with access to a publicly available Azure IMDS certificate from CT logs can:
- Steal an agent session token by sending a forged PKCS#7 envelope to
POST /api/v2/workspaceagents/azure-instance-identitywhich is unauthenticated. - With the stolen token access:
- Git SSH private key via
GET /workspaceagents/me/gitsshkey: push to repositories and impersonate the workspace owner. - OAuth access tokens via
GET /workspaceagents/me/external-auth: GitHub, GitLab, and Bitbucket tokens in plaintext. - Workspace secrets via the agent manifest: environment variables, file paths, and API keys.
Attack Path Diagram
Affected Versions
All versions of Coder v2 are affected.
Patches
Fixed in #25286
The fix was backported to all supported release lines:
| Patched Versions |
|---|
| v2.33.3 |
| v2.32.2 |
| v2.31.12 |
| v2.30.8 |
| v2.29.13 |
| v2.24.5 |
Workarounds
If unable to patch we recommend immediately reconfiguring any Azure templates to use token authentication rather than azure-instance-identity until the patch is released and you are fully upgraded.
- Modify the
coder_agent.authvalue to betoken. - Add
CODER_AGENT_TOKEN=${coder_agent.main.token}to the set of environment variables for the Coder Workspace Agent initialization script.
Recognition
We'd like to thank Ben Tran of calif.io and Anthropic’s Security Team (ANT-2026-22445) for independently disclosing this issue!
Severity
9.1 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.33.0-rc.0"
},
{
"fixed": "2.33.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.32.0-rc.0"
},
{
"fixed": "2.32.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.31.0"
},
{
"fixed": "2.31.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.30.0"
},
{
"fixed": "2.30.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.29.0"
},
{
"fixed": "2.29.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.24.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.27.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46354"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T20:04:13Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\n`azureidentity.Validate()` verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. `{\"vmId\":\"\u003ctarget\u003e\"}` and the forged `vmId` will be accepted returning the victim workspace agent\u0027s session token.\n\n**No authentication is required.** The attacker only needs to know a target VM\u0027s `vmId` which is a `UUIDv4`.\n\u003e that\u0027s a practical limitation which would typically require prior access to be exploited\n\n## Root Cause\n\nIn unpatched Coder releases the signature over the PKCS#7 content is not validated - only the signing certificate is checked.\n\n## Impact\n\nAn attacker on any Azure VM or with access to a publicly available Azure IMDS certificate from CT logs can:\n\n1. **Steal an agent session token** by sending a forged PKCS#7 envelope to `POST /api/v2/workspaceagents/azure-instance-identity` which is unauthenticated.\n2. **With the stolen token** access:\n - **Git SSH private key** via `GET /workspaceagents/me/gitsshkey`: push to repositories and impersonate the workspace owner.\n - **OAuth access tokens** via `GET /workspaceagents/me/external-auth`: GitHub, GitLab, and Bitbucket tokens in plaintext.\n - **Workspace secrets** via the agent manifest: environment variables, file paths, and API keys.\n\n## Attack Path Diagram\n\n\u003cimg width=\"5588\" height=\"4176\" alt=\"PKCS7_diagram (1)\" src=\"https://github.com/user-attachments/assets/74e88a89-a995-450d-87ab-6feed03579a5\" /\u003e\n\n## Affected Versions\n\nAll versions of Coder v2 are affected.\n\n## Patches\n\nFixed in [#25286 ](https://github.com/coder/coder/pull/25286)\n\nThe fix was backported to all supported release lines:\n\n| Patched Versions |\n| --- |\n| [**v2.33.3**](https://github.com/coder/coder/releases/tag/v2.33.3) |\n| [**v2.32.2**](https://github.com/coder/coder/releases/tag/v2.32.2) |\n| [**v2.31.12**](https://github.com/coder/coder/releases/tag/v2.31.12) |\n| [**v2.30.8**](https://github.com/coder/coder/releases/tag/v2.30.8) |\n| [**v2.29.13**](https://github.com/coder/coder/releases/tag/v2.29.13) |\n| [**v2.24.5**](https://github.com/coder/coder/releases/tag/v2.24.5) |\n\n## Workarounds\n\nIf unable to patch we recommend immediately reconfiguring any Azure templates to use token authentication rather than `azure-instance-identity` until the patch is released and you are fully upgraded.\n\n1. Modify the [`coder_agent.auth`](https://registry.terraform.io/providers/coder/coder/latest/docs/resources/agent#auth-1) value to be `token`.\n2. Add `CODER_AGENT_TOKEN=${coder_agent.main.token}` to the set of environment variables for the Coder Workspace Agent initialization script.\n\n## Recognition\n\nWe\u0027d like to thank [Ben Tran](https://github.com/bencalif) of [calif.io](http://calif.io) and Anthropic\u2019s Security Team (`ANT-2026-22445`) for independently disclosing this issue!",
"id": "GHSA-6x44-w3xg-hqqf",
"modified": "2026-05-19T20:04:13Z",
"published": "2026-05-19T20:04:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coder/coder/security/advisories/GHSA-6x44-w3xg-hqqf"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/pull/25286"
},
{
"type": "PACKAGE",
"url": "https://github.com/coder/coder"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.24.5"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.29.13"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.30.8"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.31.12"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.32.2"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.33.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…