<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Coder &lt; 2.29.17 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/coder--2.29.17/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 21:04:20 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/coder--2.29.17/feed.xml" rel="self" type="application/rss+xml"/><item><title>Coder Tailnet Vulnerability (CVE-2026-55428) Leads to Route Hijacking</title><link>https://feed.craftedsignal.io/briefs/2026-07-coder-route-hijacking/</link><pubDate>Mon, 06 Jul 2026 21:04:20 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-coder-route-hijacking/</guid><description>A high-severity vulnerability (CVE-2026-55428) in Coder's tailnet coordinator allows a malicious workspace agent to hijack network routes by advertising arbitrary `AllowedIPs` prefixes, enabling interception and spoofing of web terminal and workspace application traffic.</description><content:encoded><![CDATA[<p>A critical vulnerability, CVE-2026-55428, has been identified in Coder's tailnet coordinator, impacting all supported versions of Coder, including 2.34, 2.33, 2.32, and 2.29 (ESR) prior to their patched releases. The flaw stems from insufficient validation of agent-supplied <code>AllowedIPs</code>, allowing a malicious Coder agent to advertise arbitrary network prefixes. This enables the agent to hijack network traffic intended for other agents, intercepting web terminal and workspace application communications, and potentially serving spoofed content. Exploitation requires an authenticated user with a running workspace and a modified agent binary. This vulnerability could lead to significant data exposure, credential theft, or further compromise of an organization's development environment. The issue was independently disclosed by Anthropic's Security Team.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated user gains access to a Coder environment and initiates a workspace.</li>
<li>The authenticated user modifies their Coder agent binary to include malicious functionality capable of manipulating <code>AllowedIPs</code> advertisements.</li>
<li>The malicious Coder agent connects to the Coder tailnet coordinator.</li>
<li>The malicious agent advertises arbitrary <code>AllowedIPs</code> prefixes, including the tailnet address of a target victim agent, to the coordinator.</li>
<li>Due to the vulnerability (CVE-2026-55428), the Coder coordinator, lacking proper validation, forwards these unverified <code>AllowedIPs</code> verbatim to other tunnel peers within the tailnet.</li>
<li>The other tunnel peers, receiving the malicious <code>AllowedIPs</code> configuration, install them into their WireGuard peer configurations, effectively re-routing traffic intended for the victim agent to the malicious agent.</li>
<li>The malicious agent then intercepts web terminal and workspace application traffic from the victim and can serve spoofed content, facilitating data exfiltration, credential harvesting, or further exploitation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-55428 allows an attacker to perform a sophisticated Man-in-the-Middle attack within the Coder tailnet. This enables the interception of sensitive web terminal and workspace application traffic from other users or agents, potentially leading to the theft of credentials, session tokens, or proprietary data. Furthermore, the ability to serve spoofed content means attackers could phish users, deliver malicious updates, or otherwise compromise the integrity of the development environment. The vulnerability affects critical internal communication pathways, posing a severe risk to intellectual property and operational security for organizations utilizing vulnerable Coder versions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade all affected Coder installations to the patched versions: Coder v2.34.2, v2.33.8, v2.32.7, or v2.29.17 to remediate CVE-2026-55428.</li>
<li>Monitor Coder coordinator logs for any agents advertising unexpected <code>AllowedIPs</code> prefixes, as this could indicate an attempted or successful exploitation.</li>
<li>Review network configurations to ensure that only trusted and authenticated agents are permitted to interact with the Coder tailnet coordinator.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>cve</category><category>route-hijacking</category><category>network-attack</category><category>supply-chain</category></item><item><title>Coder OIDC email_verified Type Coercion Bypass (CVE-2026-55076)</title><link>https://feed.craftedsignal.io/briefs/2026-07-coders-oidc-email-bypass/</link><pubDate>Mon, 06 Jul 2026 20:58:08 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-coders-oidc-email-bypass/</guid><description>A vulnerability, CVE-2026-55076, in Coder's OpenID Connect (OIDC) authentication callback allowed an attacker to bypass email verification due to improper Go boolean type assertion of the `email_verified` claim, leading to full account takeover for existing user accounts.</description><content:encoded><![CDATA[<p>A critical vulnerability, tracked as CVE-2026-55076, has been identified in Coder's platform, affecting versions prior to 2.34.2, 2.33.8, 2.32.7, and 2.29.17. The flaw resides in how Coder's OpenID Connect (OIDC) callback processes the <code>email_verified</code> claim from an Identity Provider (IdP). Instead of robust type coercion, Coder used a direct Go <code>bool</code> type assertion. This meant that if an IdP returned <code>email_verified</code> as a non-boolean value (e.g., the string <code>&quot;false&quot;</code>) or omitted the claim entirely, Coder's system would incorrectly default to treating the email as verified. This misinterpretation, combined with an unconditional email-based account fallback feature, created a pathway for unauthenticated account takeover, enabling attackers to gain full control over a victim's existing Coder account without requiring prior authentication.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Account Registration</strong>: The victim legitimately registers and creates an account on a Coder instance, likely linked to their corporate email address.</li>
<li><strong>Attacker IdP Setup</strong>: The attacker registers an OpenID Connect (OIDC) Identity Provider (IdP) and configures it to impersonate the victim's email address.</li>
<li><strong>IdP Claim Manipulation</strong>: The attacker's IdP is configured to either omit the <code>email_verified</code> claim or return it as a non-boolean string (e.g., <code>&quot;false&quot;</code>) during an authentication response.</li>
<li><strong>OIDC Authentication Attempt</strong>: The attacker initiates an OIDC login attempt to the target Coder instance, selecting their malicious IdP.</li>
<li><strong>Type Coercion Bypass</strong>: Coder's OIDC callback receives the IdP response and, due to the vulnerability, incorrectly processes the <code>email_verified</code> claim (or its absence) as verified.</li>
<li><strong>Account Fallback Activation</strong>: Coder's unconditional email-based account fallback mechanism matches the (falsely) verified email from the IdP to the victim's existing Coder account.</li>
<li><strong>Session Establishment</strong>: Coder grants the attacker a valid session for the victim's account, resulting in a full account takeover.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-55076 allows for complete account takeover of any existing Coder user. An attacker does not need prior authentication to the Coder instance. This means sensitive data, project code, and system configurations associated with the compromised account become fully accessible to the attacker. While no specific victim count or targeted sector is provided, Coder is widely used for development environments, meaning a wide range of organizations and intellectual property could be at risk. The direct result is unauthorized access to development infrastructure and potential lateral movement within an organization's ecosystem.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-55076 immediately</strong> by upgrading your Coder instance to version 2.34.2, 2.33.8, 2.32.7, or 2.29.17 as described in the brief.</li>
<li><strong>Review IdP configurations</strong>: Ensure your Identity Provider (IdP) for OIDC returns the <code>email_verified</code> claim as a native JSON boolean (<code>true</code> or <code>false</code>) to mitigate risks in case of other application vulnerabilities.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>account-takeover</category><category>oidc</category><category>vulnerability</category><category>web-application</category></item><item><title>Coder OIDC Account Takeover Vulnerabilities (CVE-2026-55075)</title><link>https://feed.craftedsignal.io/briefs/2026-07-coder-oidc-at/</link><pubDate>Mon, 06 Jul 2026 20:57:10 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-coder-oidc-at/</guid><description>Two critical flaws in Coder's OIDC login mechanism, CVE-2026-55075, allow an attacker to achieve account takeover by exploiting email-based user matching without proper IdP subject checks and bypassing the `email_verified` claim, leading to full access to victim workspaces and resources.</description><content:encoded><![CDATA[<p>CVE-2026-55075 describes two critical vulnerabilities discovered in Coder's OpenID Connect (OIDC) login process, publicly disclosed in July 2026 by Anthropic's Security Team. The first flaw involves email-based user matching, which would link a Coder account to an OIDC identity based solely on a matching email address, even if an existing link to a different Identity Provider (IdP) subject was present. The second flaw permits bypassing the <code>email_verified</code> claim, where the system incorrectly treated an absent or non-boolean <code>email_verified</code> claim as verified. Chaining these issues allows an attacker controlling a matching email address at the OIDC provider to log in as a victim Coder user, gaining full access to their development workspaces, templates, and resources. This vulnerability specifically targets Coder installations configured with OIDC authentication, affecting versions prior to <code>v2.29.17</code> and specific ranges within the <code>2.30.x</code>, <code>2.33.x</code>, and <code>2.34.x</code> series.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a Coder instance configured to use OIDC authentication.</li>
<li>Attacker discovers a victim's email address registered with a Coder account on the target instance.</li>
<li>Attacker registers or takes control of an account at the configured OIDC provider using the victim's email address.</li>
<li>Attacker initiates an OIDC login flow to the vulnerable Coder instance, authenticating via their controlled OIDC provider account.</li>
<li>The OIDC provider issues an ID Token to the attacker, where the <code>email_verified</code> claim is either absent or has a non-boolean value.</li>
<li>The vulnerable Coder instance processes the ID Token, but due to CVE-2026-55075, it bypasses the <code>email_verified</code> check and performs user matching based solely on the email address.</li>
<li>The Coder instance incorrectly links the attacker's OIDC identity to the victim's existing Coder account.</li>
<li>The attacker is granted full access to the victim's Coder account, including workspaces, templates, and resources.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-55075 leads to complete account takeover within the affected Coder environment. An attacker gains full administrative access to the victim's Coder workspaces, templates, and any associated resources, including access to sensitive code, development environments, and potentially integrated systems. This could lead to data exfiltration, intellectual property theft, code manipulation, or further lateral movement within an organization's development infrastructure. The prerequisites for this attack include the use of OIDC authentication, the attacker's ability to control an email address at the IdP matching the victim's Coder account, and the victim's account not already being linked to a different IdP subject.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch all Coder installations to the recommended versions to address CVE-2026-55075: <code>v2.34.2</code>, <code>v2.33.8</code>, <code>v2.32.7</code>, or <code>v2.29.17</code>.</li>
<li>As a temporary workaround for CVE-2026-55075, configure your OIDC provider to disallow self-registration of user accounts.</li>
<li>As an additional temporary workaround for CVE-2026-55075, ensure your OIDC provider is configured to strictly require email verification before issuing ID Tokens for user accounts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>oidc</category><category>account-takeover</category><category>vulnerability</category><category>coder</category><category>cloud</category></item></channel></rss>