Threat Advisory

Coder Vulnerability Opens Way for Fake Azure Instance Approval

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-46354, with a CVSS score of 9.1, is a critical vulnerability in the github.com/coder/coder/v2 package that allows attackers to bypass PKCS#7 signature verification, enabling unauthenticated agent token theft. An attacker with access to a target VM's vmId can exploit this vulnerability by sending a forged PKCS#7 envelope to the unauthenticated POST /api/v2/workspaceagents/azure-instance-identity endpoint. Successful exploitation enables theft of an agent session token, allowing access to Git SSH private keys, OAuth access tokens, and workspace secrets. The business impact includes unauthorized access to sensitive information and potential impersonation of workspace owners. Exploitation requires knowledge of the target VM's vmId and access to a publicly available Azure IMDS certificate from Certificate Transparency logs, although prior access is typically needed to obtain this information.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-46354, with a CVSS score of 9.1, is a critical vulnerability in the github.com/coder/coder/v2 package that allows attackers to bypass PKCS#7 signature verification, enabling unauthenticated agent token theft. An attacker with access to a target VM's vmId can exploit this vulnerability by sending a forged PKCS#7 envelope to the unauthenticated POST /api/v2/workspaceagents/azure-instance-identity endpoint. Successful exploitation enables theft of an agent session token, allowing access to Git SSH private keys, OAuth access tokens, and workspace secrets. The business impact includes unauthorized access to sensitive information and potential impersonation of workspace owners. Exploitation requires knowledge of the target VM's vmId and access to a publicly available Azure IMDS certificate from Certificate Transparency logs, although prior access is typically needed to obtain this information.[emaillocker id="1283"]

RECOMMENDATION:

We strongly recommend you update github.com/coder/coder and github.com/coder/coder/v2 to below version: https://github.com/coder/coder/releases

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-6x44-w3xg-hqqf

[/emaillocker]
crossmenu