Coder Azure Instance Identity PKCS#7 Signature Bypass Leads to Unauthenticated Agent Token Theft (CVE-2026-46354)

Coder v2 is susceptible to a critical vulnerability where the azureidentity.Validate() function fails to properly validate the PKCS#7 signature when using Azure instance identity for authentication. This flaw allows an unauthenticated attacker to bypass security measures by embedding a legitimate Azure certificate alongside a forged vmId within a PKCS#7 envelope. Successful exploitation allows retrieval of the victim workspace agent’s session token, granting unauthorized access to sensitive resources. The attacker only requires knowledge of the target VM’s vmId (UUIDv4), which, while a limitation, could be obtained through prior access or reconnaissance. This vulnerability impacts all versions of Coder v2 prior to the patched versions released in May 2026.

Attack Chain

1. Attacker identifies a target Coder workspace agent and obtains its vmId UUIDv4.
2. Attacker crafts a malicious PKCS#7 envelope containing a legitimate Azure certificate and a forged vmId targeting the identified workspace.
3. Attacker sends a POST request to the /api/v2/workspaceagents/azure-instance-identity endpoint with the crafted PKCS#7 envelope. This endpoint is unauthenticated.
4. Coder’s azureidentity.Validate() function incorrectly validates only the signer certificate, failing to verify the PKCS#7 signature itself.
5. The forged vmId is accepted, and the attacker retrieves the workspace agent’s session token.
6. Attacker uses the stolen token to access the GET /workspaceagents/me/gitsshkey endpoint to retrieve the Git SSH private key.
7. Attacker uses the stolen token to access GET /workspaceagents/me/external-auth endpoint, exfiltrating OAuth access tokens for GitHub, GitLab, and Bitbucket.
8. Attacker uses the stolen token to access workspace secrets via the agent manifest, including environment variables, file paths, and API keys.

Impact

Successful exploitation of this vulnerability (CVE-2026-46354) grants an attacker unauthorized access to sensitive resources within Coder workspaces. This can lead to complete compromise of the workspace, including the ability to push malicious code to repositories using the stolen Git SSH private key, impersonate the workspace owner, and access sensitive environment variables, file paths, and API keys. If an attacker gains access to source code repositories and developer secrets, they can cause significant data breaches, intellectual property theft, and supply chain attacks.

Recommendation

• Immediately patch Coder instances to the latest versions (>= v2.33.3, v2.32.2, v2.31.12, v2.30.8, v2.29.13, v2.24.5) to address CVE-2026-46354.
• As a temporary workaround, reconfigure Azure templates to use token authentication instead of azure-instance-identity, as described in the advisory. Specifically, modify the coder_agent.auth value to token.
• Implement the provided Sigma rule to detect suspicious POST requests to the /api/v2/workspaceagents/azure-instance-identity endpoint with potentially crafted PKCS#7 envelopes.
• Monitor web server logs for abnormal activity and unauthorized access attempts to the /api/v2/workspaceagents/azure-instance-identity, /workspaceagents/me/gitsshkey, and /workspaceagents/me/external-auth endpoints.