CVE-2026-46354
Coder · Coder
Coder contains an improper cryptographic signature verification flaw in `azureidentity.Validate()`, allowing attackers to forge session tokens via manipulated Azure VM identities.
Executive summary
A critical cryptographic vulnerability in Coder allows attackers to forge workspace session tokens, leading to unauthorized access to remote development environments.
Vulnerability
The application fails to verify the PKCS#7 signature during Azure identity validation. An unauthenticated attacker can supply a forged VM ID to obtain a valid session token for a target workspace.
Business impact
With a CVSS score of 9.1, this vulnerability poses a severe threat to the integrity of development environments. An attacker could gain unauthorized access to source code, secrets, and infrastructure tokens stored within developer workspaces, potentially leading to supply chain compromises and intellectual property theft.
Remediation
Immediate Action: Upgrade the Coder platform to the patched versions: 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, or 2.33.3.
Proactive Monitoring: Audit session logs for unusual workspace access patterns or tokens originating from unrecognized VM IDs.
Compensating Controls: Reconfigure Azure templates to utilize token-based authentication rather than azure-instance-identity until the patch is successfully applied.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This vulnerability represents a significant risk to the security of development pipelines. Administrators must verify their current Coder version and apply the recommended patches immediately to prevent session token forgery and unauthorized workspace access.