108 matches found
CVE-2026-45796
Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST...
CVE-2026-46354
Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, azureidentity.Validate verifies that the PKCS7 signer certificate chains to a trusted Azure CA but never verifies the PKCS7 signature...
CVE-2026-46354 Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft
Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, azureidentity.Validate verifies that the PKCS7 signer certificate chains to a trusted Azure CA but never verifies the PKCS7 signature...
CVE-2026-46354
Summary: A PKCS#7 signature bypass in Coder (Coder v2 before patches) allows unauthenticated token theft via Azure instance identity. The issue stems from azureidentity.Validate() validating only the signer certificate chain, not the signature itself, enabling forged PKCS#7 envelopes containing a...
CVE-2026-45796 Coder vulnerable to unauthenticated SSRF via Azure Instance Identity Endpoint
Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST...
CVE-2026-45796
Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST...
CVE-2026-45796 Coder vulnerable to unauthenticated SSRF via Azure Instance Identity Endpoint
Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST...
PYSEC-2026-1209 Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the PKCS7 signature verification process for Azure instance identity. An attacker can obtain agent tokens without authentication by bypassing signature validation. Remediation There is...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the PKCS7 signature verification process for Azure instance identity. An attacker can obtain agent tokens without authentication by bypassing signature validation. Remediation Upgrade...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the PKCS7 signature verification process for Azure instance identity. An attacker can obtain agent tokens without authentication by bypassing signature validation. Remediation Upgrade...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the PKCS7 signature verification process for Azure instance identity. An attacker can obtain agent tokens without authentication by bypassing signature validation. Remediation There is...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Azure Instance Identity Endpoint process. An attacker can access internal resources or sensitive information by sending crafted requests to the affected endpoint without authentication. Remediati...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Azure Instance Identity Endpoint process. An attacker can access internal resources or sensitive information by sending crafted requests to the affected endpoint without authentication. Remediati...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Azure Instance Identity Endpoint process. An attacker can access internal resources or sensitive information by sending crafted requests to the affected endpoint without authentication. Remediati...
GO-2026-5169 Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder...
CVE-2026-55412 ToolJet Cloud - SSRF to Azure Cloud Infrastructure Compromise
ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, there's an SSRF in the RestAPI data source component. The RestAPI data source executes HTTP requests server-side, and its private IP filter only...
openSUSE 15: azure-cli / azure-cli-core / azure-cli-telemetry / python311-anyio / etc (SUSE-SU-SUSE-RU-2026:2237-2)
"The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-SUSE-RU-2026:2237-2 advisory. Changes in azure-cli-core: - Drop CVE-2025-24049 patch, fixed upstream - New upstream release - Version 2.82.0 - For detailed information...
CVE-2026-35430
Authorization bypass through user-controlled key in Azure Privileged Identity Management PIM allows an authorized attacker to elevate privileges over a network...
GHSA-686C-7VGV-V3FX Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint
Summary Unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST /api/v2/workspaceagents/azure-instance-identity. An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submitting a...