PT-2026-56066 · Coder · Coder
Published
2026-07-06
·
Updated
2026-07-07
·
CVE-2026-55076
CVSS v3.1
7.4
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Coder versions prior to 2.34.2
Coder versions prior to 2.33.8
Coder versions prior to 2.32.7
Coder versions prior to 2.29.17
Description
An issue exists in the OIDC callback where the
email verified claim is checked using a direct Go bool type assertion. If an Identity Provider (IdP) returns this claim as a non-boolean type (such as the string "false") or omits it entirely, the assertion fails open, causing the email to be treated as verified. When combined with an unconditional email-based account fallback, an attacker can register a victim's email at a compatible IdP without verifying it to gain unauthorized access and full account takeover of the victim's Coder account.Recommendations
Update to version 2.34.2 or later.
Update to version 2.33.8 or later.
Update to version 2.32.7 or later.
Update to version 2.29.17 or later.
As a temporary mitigation, ensure the IdP returns
email verified as a native JSON boolean.Fix
Improper Authentication
Incorrect Type Conversion or Cast
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Coder