VYPR
Critical severityGHSA Advisory· Published May 19, 2026· Updated May 19, 2026

Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft

CVE-2026-46354

Description

Summary

azureidentity.Validate() verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. {"vmId":""} and the forged vmId will be accepted returning the victim workspace agent's session token.

No authentication is required. The attacker only needs to know a target VM's vmId which is a UUIDv4. > that's a practical limitation which would typically require prior access to be exploited

Root

Cause

In unpatched Coder releases the signature over the PKCS#7 content is not validated - only the signing certificate is checked.

Impact

An attacker on any Azure VM or with access to a publicly available Azure IMDS certificate from CT logs can:

1. Steal an agent session token by sending a forged PKCS#7 envelope to POST /api/v2/workspaceagents/azure-instance-identity which is unauthenticated. 2. With the stolen token access: - Git SSH private key via GET /workspaceagents/me/gitsshkey: push to repositories and impersonate the workspace owner. - OAuth access tokens via GET /workspaceagents/me/external-auth: GitHub, GitLab, and Bitbucket tokens in plaintext. - Workspace secrets via the agent manifest: environment variables, file paths, and API keys.

Attack

Path Diagram

Affected

Versions

All versions of Coder v2 are affected.

Patches

Fixed in #25286

The fix was backported to all supported release lines:

| Patched Versions | | --- | | **v2.33.3** | | **v2.32.2** | | **v2.31.12** | | **v2.30.8** | | **v2.29.13** | | **v2.24.5** |

Workarounds

If unable to patch we recommend immediately reconfiguring any Azure templates to use token authentication rather than azure-instance-identity until the patch is released and you are fully upgraded.

  1. Modify the `coder_agent.auth` value to be token.
  2. Add CODER_AGENT_TOKEN=${coder_agent.main.token} to the set of environment variables for the Coder Workspace Agent initialization script.

Recognition

We'd like to thank Ben Tran of calif.io and Anthropic’s Security Team (ANT-2026-22445) for independently disclosing this issue!

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/coder/coder/v2Go
>= 2.33.0-rc.0, < 2.33.32.33.3
github.com/coder/coder/v2Go
>= 2.32.0-rc.0, < 2.32.22.32.2
github.com/coder/coder/v2Go
>= 2.31.0, < 2.31.122.31.12
github.com/coder/coder/v2Go
>= 2.30.0, < 2.30.82.30.8
github.com/coder/coder/v2Go
>= 2.29.0, < 2.29.132.29.13
github.com/coder/coder/v2Go
< 2.24.52.24.5
github.com/coder/coderGo
<= 0.27.3

Affected products

1

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.