PT-2026-56066 · Coder · Coder

Published

2026-07-06

·

Updated

2026-07-07

·

CVE-2026-55076

CVSS v3.1

7.4

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.34.2 Coder versions prior to 2.33.8 Coder versions prior to 2.32.7 Coder versions prior to 2.29.17
Description An issue exists in the OIDC callback where the email verified claim is checked using a direct Go bool type assertion. If an Identity Provider (IdP) returns this claim as a non-boolean type (such as the string "false") or omits it entirely, the assertion fails open, causing the email to be treated as verified. When combined with an unconditional email-based account fallback, an attacker can register a victim's email at a compatible IdP without verifying it to gain unauthorized access and full account takeover of the victim's Coder account.
Recommendations Update to version 2.34.2 or later. Update to version 2.33.8 or later. Update to version 2.32.7 or later. Update to version 2.29.17 or later. As a temporary mitigation, ensure the IdP returns email verified as a native JSON boolean.

Fix

Improper Authentication

Incorrect Type Conversion or Cast

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55076
GHSA-75VM-6W67-GWVP
GO-2026-5907

Affected Products

Coder