CVE-2026-46354

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.33.3 Coder versions prior to 2.32.2 Coder versions prior to 2.31.12 Coder versions prior to 2.30.8 Coder versions prior to 2.29.13 Coder versions prior to 2.24.5

Description The azureidentity.Validate() function verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but fails to verify the PKCS#7 signature itself. An unauthenticated attacker who knows a target VM's vmId (a UUIDv4) can embed a legitimate Azure certificate with arbitrary content to forge an identity and steal a workspace agent's session token via the 'POST /api/v2/workspaceagents/azure-instance-identity' endpoint. With this token, an attacker can access Git SSH private keys through 'GET /workspaceagents/me/gitsshkey', OAuth access tokens for GitHub, GitLab, and Bitbucket via 'GET /workspaceagents/me/external-auth', and workspace secrets including environment variables and API keys.

Recommendations Update to version 2.33.3, 2.32.2, 2.31.12, 2.30.8, 2.29.13, or 2.24.5 depending on the current release line. As a temporary workaround, reconfigure Azure templates to use token authentication instead of azure-instance-identity by modifying the coder agent.auth value to token and adding CODER AGENT TOKEN=${coder agent.main.token} to the environment variables for the Coder Workspace Agent initialization script.