{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/coder--2.30.0--2.32.7/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Coder \u003c 2.29.17","Coder \u003e= 2.30.0 \u003c 2.32.7","Coder \u003e= 2.33.0 \u003c 2.33.8","Coder \u003e= 2.34.0 \u003c 2.34.2"],"_cs_severities":["high"],"_cs_tags":["account-takeover","oidc","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["Coder"],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-55076, has been identified in Coder's platform, affecting versions prior to 2.34.2, 2.33.8, 2.32.7, and 2.29.17. The flaw resides in how Coder's OpenID Connect (OIDC) callback processes the \u003ccode\u003eemail_verified\u003c/code\u003e claim from an Identity Provider (IdP). Instead of robust type coercion, Coder used a direct Go \u003ccode\u003ebool\u003c/code\u003e type assertion. This meant that if an IdP returned \u003ccode\u003eemail_verified\u003c/code\u003e as a non-boolean value (e.g., the string \u003ccode\u003e\u0026quot;false\u0026quot;\u003c/code\u003e) or omitted the claim entirely, Coder's system would incorrectly default to treating the email as verified. This misinterpretation, combined with an unconditional email-based account fallback feature, created a pathway for unauthenticated account takeover, enabling attackers to gain full control over a victim's existing Coder account without requiring prior authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Account Registration\u003c/strong\u003e: The victim legitimately registers and creates an account on a Coder instance, likely linked to their corporate email address.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker IdP Setup\u003c/strong\u003e: The attacker registers an OpenID Connect (OIDC) Identity Provider (IdP) and configures it to impersonate the victim's email address.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdP Claim Manipulation\u003c/strong\u003e: The attacker's IdP is configured to either omit the \u003ccode\u003eemail_verified\u003c/code\u003e claim or return it as a non-boolean string (e.g., \u003ccode\u003e\u0026quot;false\u0026quot;\u003c/code\u003e) during an authentication response.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOIDC Authentication Attempt\u003c/strong\u003e: The attacker initiates an OIDC login attempt to the target Coder instance, selecting their malicious IdP.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eType Coercion Bypass\u003c/strong\u003e: Coder's OIDC callback receives the IdP response and, due to the vulnerability, incorrectly processes the \u003ccode\u003eemail_verified\u003c/code\u003e claim (or its absence) as verified.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Fallback Activation\u003c/strong\u003e: Coder's unconditional email-based account fallback mechanism matches the (falsely) verified email from the IdP to the victim's existing Coder account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSession Establishment\u003c/strong\u003e: Coder grants the attacker a valid session for the victim's account, resulting in a full account takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-55076 allows for complete account takeover of any existing Coder user. An attacker does not need prior authentication to the Coder instance. This means sensitive data, project code, and system configurations associated with the compromised account become fully accessible to the attacker. While no specific victim count or targeted sector is provided, Coder is widely used for development environments, meaning a wide range of organizations and intellectual property could be at risk. The direct result is unauthorized access to development infrastructure and potential lateral movement within an organization's ecosystem.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-55076 immediately\u003c/strong\u003e by upgrading your Coder instance to version 2.34.2, 2.33.8, 2.32.7, or 2.29.17 as described in the brief.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview IdP configurations\u003c/strong\u003e: Ensure your Identity Provider (IdP) for OIDC returns the \u003ccode\u003eemail_verified\u003c/code\u003e claim as a native JSON boolean (\u003ccode\u003etrue\u003c/code\u003e or \u003ccode\u003efalse\u003c/code\u003e) to mitigate risks in case of other application vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T20:58:08Z","date_published":"2026-07-06T20:58:08Z","id":"https://feed.craftedsignal.io/briefs/2026-07-coders-oidc-email-bypass/","summary":"A vulnerability, CVE-2026-55076, in Coder's OpenID Connect (OIDC) authentication callback allowed an attacker to bypass email verification due to improper Go boolean type assertion of the `email_verified` claim, leading to full account takeover for existing user accounts.","title":"Coder OIDC email_verified Type Coercion Bypass (CVE-2026-55076)","url":"https://feed.craftedsignal.io/briefs/2026-07-coders-oidc-email-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Coder \u003e= 2.30.0 \u003c 2.32.7","version":"https://jsonfeed.org/version/1.1"}