299 matches found
CVE-2026-55435
CVE-2026-55435 affects Coder’s AI Bridge proxy endpoints. The vulnerability stems from Server.IsAuthorized not checking whether a suspended account is active, so an unexpired API key issued to a suspended user remains usable until the key is deleted. Impact is limited to already-issued keys; no n...
CVE-2026-55435
Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret...
CVE-2026-43918
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php loggedinclient and loggedinadmin...
CVE-2026-43918
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php loggedinclient and loggedinadmin...
CVE-2026-43918
FOSSBilling before 0.8.0 does not invalidate existing sessions for suspended or inactive accounts. The session identity loaders (loggedin_client and loggedin_admin) only reject sessions if the backing account record no longer exists; they do not check that the account’s status remains active. Thi...
GHSA-WQXV-W64V-5WH6 Suspended Coder users retain access to AI Bridge LLM proxy endpoints
Summary AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's...
Suspended Coder users retain access to AI Bridge LLM proxy endpoints
Summary AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's...
PT-2026-56079
Name of the Vulnerable Software and Affected Versions Coder versions 2.30.0 through 2.32.6 Coder versions 2.33.0 through 2.33.7 Coder versions 2.34.0 through 2.34.1 Description AI Bridge proxy endpoints authenticate via the Server.IsAuthorized function in coderd/aibridgedserver. This process...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: dm: fixed dmblkreportzones If dmgetlivetable returned NULL, dmputlivetable was never called. It is also possible that md-zonerevalidatemap might change during the execution of this function. This value should only be read once, s...
SUSE CVE-2026-46327
In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the "dmsuspendedmd" call. However, this function is called without holding any locks, so the device may be suspended just...
CVE-2026-46327
A flaw was found in the Linux kernel's device mapper dm component. The dmblkreportzones function performs a check for the device's suspended state without proper locking. This allows the device to enter a suspended state immediately after the check, leading to an inconsistent state. This...
CVE-2026-46327
In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the "dmsuspendedmd" call. However, this function is called without holding any locks, so the device may be suspended just...
UBUNTU-CVE-2026-46327
In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the "dmsuspendedmd" call. However, this function is called without holding any locks, so the device may be suspended just...
CVE-2026-46327
In the Linux kernel dm subsystem, the vulnerability centers on dm_blk_report_zones checking for suspended state without holding locks, allowing a race where the device may be suspended immediately after the check. The fix moves the dm_suspended_md check to occur after dm_get_live_table, ensuring ...
CVE-2026-46327
In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the "dmsuspendedmd" call. However, this function is called without holding any locks, so the device may be suspended just...
PT-2026-47785
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A race condition exists in the Device Mapper component where the dm blk report zones function checks if a device is suspended using the dm suspended md call without holding the necessary...
Linux Distros Unpatched Vulnerability : CVE-2026-46327
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the dmsuspendedmd call. However, this function is...
CVE-2026-7887
For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 suspended, banned, terminated employee can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score o...
EUVD-2026-31364
For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 suspended, banned, terminated employee can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score o...
CVE-2026-7887
For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 suspended, banned, terminated employee can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score o...