<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Coder &gt;= 2.34.0 &lt; 2.34.2 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/coder--2.34.0--2.34.2/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 20:58:08 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/coder--2.34.0--2.34.2/feed.xml" rel="self" type="application/rss+xml"/><item><title>Coder OIDC email_verified Type Coercion Bypass (CVE-2026-55076)</title><link>https://feed.craftedsignal.io/briefs/2026-07-coders-oidc-email-bypass/</link><pubDate>Mon, 06 Jul 2026 20:58:08 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-coders-oidc-email-bypass/</guid><description>A vulnerability, CVE-2026-55076, in Coder's OpenID Connect (OIDC) authentication callback allowed an attacker to bypass email verification due to improper Go boolean type assertion of the `email_verified` claim, leading to full account takeover for existing user accounts.</description><content:encoded><![CDATA[<p>A critical vulnerability, tracked as CVE-2026-55076, has been identified in Coder's platform, affecting versions prior to 2.34.2, 2.33.8, 2.32.7, and 2.29.17. The flaw resides in how Coder's OpenID Connect (OIDC) callback processes the <code>email_verified</code> claim from an Identity Provider (IdP). Instead of robust type coercion, Coder used a direct Go <code>bool</code> type assertion. This meant that if an IdP returned <code>email_verified</code> as a non-boolean value (e.g., the string <code>&quot;false&quot;</code>) or omitted the claim entirely, Coder's system would incorrectly default to treating the email as verified. This misinterpretation, combined with an unconditional email-based account fallback feature, created a pathway for unauthenticated account takeover, enabling attackers to gain full control over a victim's existing Coder account without requiring prior authentication.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Account Registration</strong>: The victim legitimately registers and creates an account on a Coder instance, likely linked to their corporate email address.</li>
<li><strong>Attacker IdP Setup</strong>: The attacker registers an OpenID Connect (OIDC) Identity Provider (IdP) and configures it to impersonate the victim's email address.</li>
<li><strong>IdP Claim Manipulation</strong>: The attacker's IdP is configured to either omit the <code>email_verified</code> claim or return it as a non-boolean string (e.g., <code>&quot;false&quot;</code>) during an authentication response.</li>
<li><strong>OIDC Authentication Attempt</strong>: The attacker initiates an OIDC login attempt to the target Coder instance, selecting their malicious IdP.</li>
<li><strong>Type Coercion Bypass</strong>: Coder's OIDC callback receives the IdP response and, due to the vulnerability, incorrectly processes the <code>email_verified</code> claim (or its absence) as verified.</li>
<li><strong>Account Fallback Activation</strong>: Coder's unconditional email-based account fallback mechanism matches the (falsely) verified email from the IdP to the victim's existing Coder account.</li>
<li><strong>Session Establishment</strong>: Coder grants the attacker a valid session for the victim's account, resulting in a full account takeover.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-55076 allows for complete account takeover of any existing Coder user. An attacker does not need prior authentication to the Coder instance. This means sensitive data, project code, and system configurations associated with the compromised account become fully accessible to the attacker. While no specific victim count or targeted sector is provided, Coder is widely used for development environments, meaning a wide range of organizations and intellectual property could be at risk. The direct result is unauthorized access to development infrastructure and potential lateral movement within an organization's ecosystem.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-55076 immediately</strong> by upgrading your Coder instance to version 2.34.2, 2.33.8, 2.32.7, or 2.29.17 as described in the brief.</li>
<li><strong>Review IdP configurations</strong>: Ensure your Identity Provider (IdP) for OIDC returns the <code>email_verified</code> claim as a native JSON boolean (<code>true</code> or <code>false</code>) to mitigate risks in case of other application vulnerabilities.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>account-takeover</category><category>oidc</category><category>vulnerability</category><category>web-application</category></item></channel></rss>