Lucene search
K

307 matches found

NVD
NVD
added last week7 views

CVE-2026-55435

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret...

5.4CVSS0.00315EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added last week6 views

CVE-2026-55435

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret...

5.4CVSS6AI score0.00315EPSS
Exploits0References8Affected Software1
CVE
CVE
added last week12 views

CVE-2026-55435

CVE-2026-55435 affects Coder’s AI Bridge proxy endpoints. The vulnerability stems from Server.IsAuthorized not checking whether a suspended account is active, so an unexpired API key issued to a suspended user remains usable until the key is deleted. Impact is limited to already-issued keys; no n...

5.4CVSS6AI score0.00315EPSS
Exploits0References7Affected Software1
Cvelist
Cvelist
added last week37 views

CVE-2026-55435 Suspended Coder users retain access to AI Bridge LLM proxy endpoints

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret...

5.4CVSS0.00315EPSS
Exploits0References7
OSV
OSV
added last week6 views

CVE-2026-55435 Suspended Coder users retain access to AI Bridge LLM proxy endpoints

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret...

5.4CVSS6AI score0.00315EPSS
Exploits0References9
OSV
OSV
added last week8 views

GO-2026-5925 Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder

Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder...

5.4CVSS5.9AI score0.00315EPSS
Exploits0References2
NVD
NVD
added 2026/07/06 10:16 p.m.9 views

CVE-2026-43918

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php loggedinclient and loggedinadmin...

8.7CVSS0.00235EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/06 9:18 p.m.34 views

CVE-2026-43918 Suspended or inactive FOSSBilling accounts can retain or regain access through existing sessions, API tokens, and password reset flows

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php loggedinclient and loggedinadmin...

8.7CVSS0.00235EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/06 9:18 p.m.5 views

CVE-2026-43918

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php loggedinclient and loggedinadmin...

8.7CVSS5.9AI score0.00235EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/07/06 9:18 p.m.26 views

CVE-2026-43918

FOSSBilling before 0.8.0 does not invalidate existing sessions for suspended or inactive accounts. The session identity loaders (loggedin_client and loggedin_admin) only reject sessions if the backing account record no longer exists; they do not check that the account’s status remains active. Thi...

8.7CVSS5.9AI score0.00235EPSS
Exploits0References2
OSV
OSV
added 2026/07/06 9:18 p.m.3 views

CVE-2026-43918 Suspended or inactive FOSSBilling accounts can retain or regain access through existing sessions, API tokens, and password reset flows

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php loggedinclient and loggedinadmin...

8.7CVSS5.9AI score0.00235EPSS
Exploits0References4
Snyk
Snyk
added 2026/07/06 9:11 p.m.3 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to insufficient validation in the IsAuthorized function. An attacker can maintain unauthorized access to AI Bridge LLM proxy endpoints by using previously issued, unexpired API tokens even after the associate...

5.4CVSS5.9AI score0.00315EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/07/06 9:11 p.m.6 views

Suspended Coder users retain access to AI Bridge LLM proxy endpoints

Summary AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's...

5.4CVSS5.9AI score0.00315EPSS
Exploits0References9Affected Software1
OSV
OSV
added 2026/07/06 9:11 p.m.4 views

GHSA-WQXV-W64V-5WH6 Suspended Coder users retain access to AI Bridge LLM proxy endpoints

Summary AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's...

5.4CVSS5.9AI score0.00315EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.11 views

PT-2026-56079

Name of the Vulnerable Software and Affected Versions Coder versions 2.30.0 through 2.32.6 Coder versions 2.33.0 through 2.33.7 Coder versions 2.34.0 through 2.34.1 Description AI Bridge proxy endpoints authenticate via the Server.IsAuthorized function in coderd/aibridgedserver. This process...

5.4CVSS5.9AI score0.00315EPSS
Exploits0References16
SUSE CVE
SUSE CVE
added 2026/06/10 2:25 a.m.11 views

SUSE CVE-2026-46327

In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the "dmsuspendedmd" call. However, this function is called without holding any locks, so the device may be suspended just...

7.8CVSS5.4AI score0.0012EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/09 4:51 p.m.10 views

CVE-2026-46327

A flaw was found in the Linux kernel's device mapper dm component. The dmblkreportzones function performs a check for the device's suspended state without proper locking. This allows the device to enter a suspended state immediately after the check, leading to an inconsistent state. This...

7.8CVSS5.4AI score0.0012EPSS
Exploits0References4
NVD
NVD
added 2026/06/09 2:16 p.m.19 views

CVE-2026-46327

In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the "dmsuspendedmd" call. However, this function is called without holding any locks, so the device may be suspended just...

7.8CVSS0.0012EPSS
Exploits0References4
OSV
OSV
added 2026/06/09 2:16 p.m.11 views

UBUNTU-CVE-2026-46327

In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the "dmsuspendedmd" call. However, this function is called without holding any locks, so the device may be suspended just...

7.8CVSS5.2AI score0.0012EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/06/09 12:25 p.m.10 views

CVE-2026-46327

In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the "dmsuspendedmd" call. However, this function is called without holding any locks, so the device may be suspended just...

7.8CVSS5.3AI score0.0012EPSS
Exploits0
Rows per page
Query Builder