VYPR
← All advisories
Critical severity9.1GHSA Advisory· Published May 19, 2026· Updated May 19, 2026

Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft

CVE-2026-46354

Description

Summary

azureidentity.Validate() verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. {"vmId":""} and the forged vmId will be accepted returning the victim workspace agent's session token.

No authentication is required. The attacker only needs to know a target VM's vmId which is a UUIDv4. > that's a practical limitation which would typically require prior access to be exploited

Root

Cause

In unpatched Coder releases the signature over the PKCS#7 content is not validated - only the signing certificate is checked.

Impact

An attacker on any Azure VM or with access to a publicly available Azure IMDS certificate from CT logs can:

1. Steal an agent session token by sending a forged PKCS#7 envelope to POST /api/v2/workspaceagents/azure-instance-identity which is unauthenticated. 2. With the stolen token access: - Git SSH private key via GET /workspaceagents/me/gitsshkey: push to repositories and impersonate the workspace owner. - OAuth access tokens via GET /workspaceagents/me/external-auth: GitHub, GitLab, and Bitbucket tokens in plaintext. - Workspace secrets via the agent manifest: environment variables, file paths, and API keys.

Attack

Path Diagram

Affected

Versions

All versions of Coder v2 are affected.

Patches

Fixed in #25286

The fix was backported to all supported release lines:

| Patched Versions | | --- | | **v2.33.3** | | **v2.32.2** | | **v2.31.12** | | **v2.30.8** | | **v2.29.13** | | **v2.24.5** |

Workarounds

If unable to patch we recommend immediately reconfiguring any Azure templates to use token authentication rather than azure-instance-identity until the patch is released and you are fully upgraded.

  1. Modify the `coder_agent.auth` value to be token.
  2. Add CODER_AGENT_TOKEN=${coder_agent.main.token} to the set of environment variables for the Coder Workspace Agent initialization script.

Recognition

We'd like to thank Ben Tran of calif.io and Anthropic’s Security Team (ANT-2026-22445) for independently disclosing this issue!

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Coder's Azure instance identity validation skips PKCS#7 signature check, allowing unauthenticated attackers to forge vmId and steal agent session tokens, compromising SSH keys, OAuth tokens, and secrets.

Root

Cause

The azureidentity.Validate() function in Coder verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but does not validate the PKCS#7 signature itself [2][3]. This allows an attacker to embed a legitimate Azure certificate alongside arbitrary content—for example {"vmId":""}—and the forged vmId will be accepted [2].

Exploitation

No authentication is required. The attacker only needs to know the target VM's vmId (a UUIDv4, which is a practical limitation that typically requires prior access) [2]. The attack is carried out by sending a forged PKCS#7 envelope to the unauthenticated endpoint POST /api/v2/workspaceagents/azure-instance-identity [3]. An attacker on any Azure VM or with access to a publicly available Azure IMDS certificate from CT logs can launch this attack [3].

Impact

By obtaining a forged agent session token, an attacker can access: - Git SSH private key via GET /workspaceagents/me/gitsshkey, enabling repository pushes and identity impersonation. - OAuth access tokens (GitHub, GitLab, Bitbucket) in plaintext via GET /workspaceagents/me/external-auth. - Workspace secrets from the agent manifest, including environment variables, file paths, and API keys [3].

The attacker effectively gains full control over the compromised workspace agent.

Mitigation

Patches have been released for all supported release lines: v2.24.5, v2.29.13, v2.30.8, v2.31.12, v2.32.2, and v2.33.3 [1][2][3][4]. Users unable to patch immediately should reconfigure Azure templates to use token authentication instead of azure-instance-identity as a workaround [3].

References
  1. Release v2.24.5 · coder/coder
  2. CVE-2026-46354 - GitHub Advisory Database
  3. PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft
  4. Release v2.29.13 · coder/coder

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Coder/CoderGHSA2 versions
    <= 0.27.3+ 1 more
    • (no CPE)range: <= 0.27.3
    • (no CPE)range: <=2.33.2 || 2.32.x <=2.32.1 || 2.31.x <=2.31.11 || 2.30.x <=2.30.7 || 2.29.x <=2.29.12 || 2.24.x <=2.24.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

9

News mentions

0

No linked articles in our index yet.