106 matches found
CVE-2026-46354
Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, azureidentity.Validate verifies that the PKCS7 signer certificate chains to a trusted Azure CA but never verifies the PKCS7 signature...
CVE-2026-45796
Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST...
CVE-2026-46354
Summary: A PKCS#7 signature bypass in Coder (Coder v2 before patches) allows unauthenticated token theft via Azure instance identity. The issue stems from azureidentity.Validate() validating only the signer certificate chain, not the signature itself, enabling forged PKCS#7 envelopes containing a...
CVE-2026-46354 Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft
Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, azureidentity.Validate verifies that the PKCS7 signer certificate chains to a trusted Azure CA but never verifies the PKCS7 signature...
CVE-2026-45796
Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST...
CVE-2026-45796 Coder vulnerable to unauthenticated SSRF via Azure Instance Identity Endpoint
Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST...
PYSEC-2026-1209 Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the PKCS7 signature verification process for Azure instance identity. An attacker can obtain agent tokens without authentication by bypassing signature validation. Remediation Upgrade...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the PKCS7 signature verification process for Azure instance identity. An attacker can obtain agent tokens without authentication by bypassing signature validation. Remediation Upgrade...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the PKCS7 signature verification process for Azure instance identity. An attacker can obtain agent tokens without authentication by bypassing signature validation. Remediation There is...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the PKCS7 signature verification process for Azure instance identity. An attacker can obtain agent tokens without authentication by bypassing signature validation. Remediation There is...
GO-2026-5169 Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Azure Instance Identity Endpoint process. An attacker can access internal resources or sensitive information by sending crafted requests to the affected endpoint without authentication. Remediati...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Azure Instance Identity Endpoint process. An attacker can access internal resources or sensitive information by sending crafted requests to the affected endpoint without authentication. Remediati...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Azure Instance Identity Endpoint process. An attacker can access internal resources or sensitive information by sending crafted requests to the affected endpoint without authentication. Remediati...
openSUSE 15: azure-cli / azure-cli-core / azure-cli-telemetry / python311-anyio / etc (SUSE-SU-SUSE-RU-2026:2237-2)
"The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-SUSE-RU-2026:2237-2 advisory. Changes in azure-cli-core: - Drop CVE-2025-24049 patch, fixed upstream - New upstream release - Version 2.82.0 - For detailed information...
CVE-2026-35430
Authorization bypass through user-controlled key in Azure Privileged Identity Management PIM allows an authorized attacker to elevate privileges over a network...
GHSA-686C-7VGV-V3FX Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint
Summary Unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST /api/v2/workspaceagents/azure-instance-identity. An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submitting a...
PT-2026-42031
Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.33.3 Coder versions prior to 2.32.2 Coder versions prior to 2.31.12 Coder versions prior to 2.30.8 Coder versions prior to 2.29.13 Coder versions prior to 2.24.5 Description An unauthenticated semi-blind Server-Side...
PT-2026-42039
Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.33.3 Coder versions prior to 2.32.2 Coder versions prior to 2.31.12 Coder versions prior to 2.30.8 Coder versions prior to 2.29.13 Coder versions prior to 2.24.5 Description The azureidentity.Validate function verifie...