PT-2026-56065 · Go · Github.Com/Coder/Coder/V2
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-55075
CVSS v3.1
7.4
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Summary
Two flaws in Coder's OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the
email verified claim was only enforced when present as a boolean false so an absent or non-boolean claim was treated as verified.Impact
An attacker who could authenticate at the configured OIDC provider with an email matching a victim's Coder account could log in as that victim and gain full access to their workspaces, templates and resources. This required OIDC authentication, attacker control of a matching email at the IdP and a victim account not yet linked to a different IdP subject.
Patches
The fix restricts the email fallback to first-time and legacy linking and defaults
email verified to false when the claim is absent or of an unexpected type.The fix was backported to all supported release lines:
| Release line | Patched version |
|---|---|
| 2.34 | v2.34.2 |
| 2.33 | v2.33.8 |
| 2.32 | v2.32.7 |
| 2.29 (ESR) | v2.29.17 |
Workarounds
Configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.
Resources
- Fix: #25712, #25713
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22450) for independently disclosing this issue!
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Github.Com/Coder/Coder/V2