{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/coder--2.29.17/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Coder \u003e= 2.34.0, \u003c 2.34.2","Coder \u003e= 2.33.0, \u003c 2.33.8","Coder \u003e= 2.30.0, \u003c 2.32.7","Coder \u003c 2.29.17"],"_cs_severities":["high"],"_cs_tags":["vulnerability","cve","route-hijacking","network-attack","supply-chain"],"_cs_type":"advisory","_cs_vendors":["Coder"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-55428, has been identified in Coder's tailnet coordinator, impacting all supported versions of Coder, including 2.34, 2.33, 2.32, and 2.29 (ESR) prior to their patched releases. The flaw stems from insufficient validation of agent-supplied \u003ccode\u003eAllowedIPs\u003c/code\u003e, allowing a malicious Coder agent to advertise arbitrary network prefixes. This enables the agent to hijack network traffic intended for other agents, intercepting web terminal and workspace application communications, and potentially serving spoofed content. Exploitation requires an authenticated user with a running workspace and a modified agent binary. This vulnerability could lead to significant data exposure, credential theft, or further compromise of an organization's development environment. The issue was independently disclosed by Anthropic's Security Team.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user gains access to a Coder environment and initiates a workspace.\u003c/li\u003e\n\u003cli\u003eThe authenticated user modifies their Coder agent binary to include malicious functionality capable of manipulating \u003ccode\u003eAllowedIPs\u003c/code\u003e advertisements.\u003c/li\u003e\n\u003cli\u003eThe malicious Coder agent connects to the Coder tailnet coordinator.\u003c/li\u003e\n\u003cli\u003eThe malicious agent advertises arbitrary \u003ccode\u003eAllowedIPs\u003c/code\u003e prefixes, including the tailnet address of a target victim agent, to the coordinator.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability (CVE-2026-55428), the Coder coordinator, lacking proper validation, forwards these unverified \u003ccode\u003eAllowedIPs\u003c/code\u003e verbatim to other tunnel peers within the tailnet.\u003c/li\u003e\n\u003cli\u003eThe other tunnel peers, receiving the malicious \u003ccode\u003eAllowedIPs\u003c/code\u003e configuration, install them into their WireGuard peer configurations, effectively re-routing traffic intended for the victim agent to the malicious agent.\u003c/li\u003e\n\u003cli\u003eThe malicious agent then intercepts web terminal and workspace application traffic from the victim and can serve spoofed content, facilitating data exfiltration, credential harvesting, or further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-55428 allows an attacker to perform a sophisticated Man-in-the-Middle attack within the Coder tailnet. This enables the interception of sensitive web terminal and workspace application traffic from other users or agents, potentially leading to the theft of credentials, session tokens, or proprietary data. Furthermore, the ability to serve spoofed content means attackers could phish users, deliver malicious updates, or otherwise compromise the integrity of the development environment. The vulnerability affects critical internal communication pathways, posing a severe risk to intellectual property and operational security for organizations utilizing vulnerable Coder versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade all affected Coder installations to the patched versions: Coder v2.34.2, v2.33.8, v2.32.7, or v2.29.17 to remediate CVE-2026-55428.\u003c/li\u003e\n\u003cli\u003eMonitor Coder coordinator logs for any agents advertising unexpected \u003ccode\u003eAllowedIPs\u003c/code\u003e prefixes, as this could indicate an attempted or successful exploitation.\u003c/li\u003e\n\u003cli\u003eReview network configurations to ensure that only trusted and authenticated agents are permitted to interact with the Coder tailnet coordinator.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T21:04:20Z","date_published":"2026-07-06T21:04:20Z","id":"https://feed.craftedsignal.io/briefs/2026-07-coder-route-hijacking/","summary":"A high-severity vulnerability (CVE-2026-55428) in Coder's tailnet coordinator allows a malicious workspace agent to hijack network routes by advertising arbitrary `AllowedIPs` prefixes, enabling interception and spoofing of web terminal and workspace application traffic.","title":"Coder Tailnet Vulnerability (CVE-2026-55428) Leads to Route Hijacking","url":"https://feed.craftedsignal.io/briefs/2026-07-coder-route-hijacking/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Coder \u003c 2.29.17","Coder \u003e= 2.30.0 \u003c 2.32.7","Coder \u003e= 2.33.0 \u003c 2.33.8","Coder \u003e= 2.34.0 \u003c 2.34.2"],"_cs_severities":["high"],"_cs_tags":["account-takeover","oidc","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["Coder"],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-55076, has been identified in Coder's platform, affecting versions prior to 2.34.2, 2.33.8, 2.32.7, and 2.29.17. The flaw resides in how Coder's OpenID Connect (OIDC) callback processes the \u003ccode\u003eemail_verified\u003c/code\u003e claim from an Identity Provider (IdP). Instead of robust type coercion, Coder used a direct Go \u003ccode\u003ebool\u003c/code\u003e type assertion. This meant that if an IdP returned \u003ccode\u003eemail_verified\u003c/code\u003e as a non-boolean value (e.g., the string \u003ccode\u003e\u0026quot;false\u0026quot;\u003c/code\u003e) or omitted the claim entirely, Coder's system would incorrectly default to treating the email as verified. This misinterpretation, combined with an unconditional email-based account fallback feature, created a pathway for unauthenticated account takeover, enabling attackers to gain full control over a victim's existing Coder account without requiring prior authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Account Registration\u003c/strong\u003e: The victim legitimately registers and creates an account on a Coder instance, likely linked to their corporate email address.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker IdP Setup\u003c/strong\u003e: The attacker registers an OpenID Connect (OIDC) Identity Provider (IdP) and configures it to impersonate the victim's email address.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdP Claim Manipulation\u003c/strong\u003e: The attacker's IdP is configured to either omit the \u003ccode\u003eemail_verified\u003c/code\u003e claim or return it as a non-boolean string (e.g., \u003ccode\u003e\u0026quot;false\u0026quot;\u003c/code\u003e) during an authentication response.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOIDC Authentication Attempt\u003c/strong\u003e: The attacker initiates an OIDC login attempt to the target Coder instance, selecting their malicious IdP.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eType Coercion Bypass\u003c/strong\u003e: Coder's OIDC callback receives the IdP response and, due to the vulnerability, incorrectly processes the \u003ccode\u003eemail_verified\u003c/code\u003e claim (or its absence) as verified.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Fallback Activation\u003c/strong\u003e: Coder's unconditional email-based account fallback mechanism matches the (falsely) verified email from the IdP to the victim's existing Coder account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSession Establishment\u003c/strong\u003e: Coder grants the attacker a valid session for the victim's account, resulting in a full account takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-55076 allows for complete account takeover of any existing Coder user. An attacker does not need prior authentication to the Coder instance. This means sensitive data, project code, and system configurations associated with the compromised account become fully accessible to the attacker. While no specific victim count or targeted sector is provided, Coder is widely used for development environments, meaning a wide range of organizations and intellectual property could be at risk. The direct result is unauthorized access to development infrastructure and potential lateral movement within an organization's ecosystem.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-55076 immediately\u003c/strong\u003e by upgrading your Coder instance to version 2.34.2, 2.33.8, 2.32.7, or 2.29.17 as described in the brief.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview IdP configurations\u003c/strong\u003e: Ensure your Identity Provider (IdP) for OIDC returns the \u003ccode\u003eemail_verified\u003c/code\u003e claim as a native JSON boolean (\u003ccode\u003etrue\u003c/code\u003e or \u003ccode\u003efalse\u003c/code\u003e) to mitigate risks in case of other application vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T20:58:08Z","date_published":"2026-07-06T20:58:08Z","id":"https://feed.craftedsignal.io/briefs/2026-07-coders-oidc-email-bypass/","summary":"A vulnerability, CVE-2026-55076, in Coder's OpenID Connect (OIDC) authentication callback allowed an attacker to bypass email verification due to improper Go boolean type assertion of the `email_verified` claim, leading to full account takeover for existing user accounts.","title":"Coder OIDC email_verified Type Coercion Bypass (CVE-2026-55076)","url":"https://feed.craftedsignal.io/briefs/2026-07-coders-oidc-email-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Coder \u003c 2.29.17","Coder \u003e= 2.30.0, \u003c 2.32.7","Coder \u003e= 2.33.0, \u003c 2.33.8","Coder \u003e= 2.34.0, \u003c 2.34.2"],"_cs_severities":["high"],"_cs_tags":["oidc","account-takeover","vulnerability","coder","cloud"],"_cs_type":"advisory","_cs_vendors":["Coder"],"content_html":"\u003cp\u003eCVE-2026-55075 describes two critical vulnerabilities discovered in Coder's OpenID Connect (OIDC) login process, publicly disclosed in July 2026 by Anthropic's Security Team. The first flaw involves email-based user matching, which would link a Coder account to an OIDC identity based solely on a matching email address, even if an existing link to a different Identity Provider (IdP) subject was present. The second flaw permits bypassing the \u003ccode\u003eemail_verified\u003c/code\u003e claim, where the system incorrectly treated an absent or non-boolean \u003ccode\u003eemail_verified\u003c/code\u003e claim as verified. Chaining these issues allows an attacker controlling a matching email address at the OIDC provider to log in as a victim Coder user, gaining full access to their development workspaces, templates, and resources. This vulnerability specifically targets Coder installations configured with OIDC authentication, affecting versions prior to \u003ccode\u003ev2.29.17\u003c/code\u003e and specific ranges within the \u003ccode\u003e2.30.x\u003c/code\u003e, \u003ccode\u003e2.33.x\u003c/code\u003e, and \u003ccode\u003e2.34.x\u003c/code\u003e series.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Coder instance configured to use OIDC authentication.\u003c/li\u003e\n\u003cli\u003eAttacker discovers a victim's email address registered with a Coder account on the target instance.\u003c/li\u003e\n\u003cli\u003eAttacker registers or takes control of an account at the configured OIDC provider using the victim's email address.\u003c/li\u003e\n\u003cli\u003eAttacker initiates an OIDC login flow to the vulnerable Coder instance, authenticating via their controlled OIDC provider account.\u003c/li\u003e\n\u003cli\u003eThe OIDC provider issues an ID Token to the attacker, where the \u003ccode\u003eemail_verified\u003c/code\u003e claim is either absent or has a non-boolean value.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Coder instance processes the ID Token, but due to CVE-2026-55075, it bypasses the \u003ccode\u003eemail_verified\u003c/code\u003e check and performs user matching based solely on the email address.\u003c/li\u003e\n\u003cli\u003eThe Coder instance incorrectly links the attacker's OIDC identity to the victim's existing Coder account.\u003c/li\u003e\n\u003cli\u003eThe attacker is granted full access to the victim's Coder account, including workspaces, templates, and resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-55075 leads to complete account takeover within the affected Coder environment. An attacker gains full administrative access to the victim's Coder workspaces, templates, and any associated resources, including access to sensitive code, development environments, and potentially integrated systems. This could lead to data exfiltration, intellectual property theft, code manipulation, or further lateral movement within an organization's development infrastructure. The prerequisites for this attack include the use of OIDC authentication, the attacker's ability to control an email address at the IdP matching the victim's Coder account, and the victim's account not already being linked to a different IdP subject.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all Coder installations to the recommended versions to address CVE-2026-55075: \u003ccode\u003ev2.34.2\u003c/code\u003e, \u003ccode\u003ev2.33.8\u003c/code\u003e, \u003ccode\u003ev2.32.7\u003c/code\u003e, or \u003ccode\u003ev2.29.17\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround for CVE-2026-55075, configure your OIDC provider to disallow self-registration of user accounts.\u003c/li\u003e\n\u003cli\u003eAs an additional temporary workaround for CVE-2026-55075, ensure your OIDC provider is configured to strictly require email verification before issuing ID Tokens for user accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T20:57:10Z","date_published":"2026-07-06T20:57:10Z","id":"https://feed.craftedsignal.io/briefs/2026-07-coder-oidc-at/","summary":"Two critical flaws in Coder's OIDC login mechanism, CVE-2026-55075, allow an attacker to achieve account takeover by exploiting email-based user matching without proper IdP subject checks and bypassing the `email_verified` claim, leading to full access to victim workspaces and resources.","title":"Coder OIDC Account Takeover Vulnerabilities (CVE-2026-55075)","url":"https://feed.craftedsignal.io/briefs/2026-07-coder-oidc-at/"}],"language":"en","title":"CraftedSignal Threat Feed - Coder \u003c 2.29.17","version":"https://jsonfeed.org/version/1.1"}