Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft
GHSA-6x44-w3xg-hqqf · CVE-2026-46354
Published · Modified
Description
Summary
azureidentity.Validate() verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. {"vmId":"<target>"} and the forged vmId will be accepted returning the victim workspace agent's session token.
No authentication is required. The attacker only needs to know a target VM's vmId which is a UUIDv4.
that's a practical limitation which would typically require prior access to be exploited
Root Cause
In unpatched Coder releases the signature over the PKCS#7 content is not validated - only the signing certificate is checked.
Impact
An attacker on any Azure VM or with access to a publicly available Azure IMDS certificate from CT logs can:
- Steal an agent session token by sending a forged PKCS#7 envelope to
POST /api/v2/workspaceagents/azure-instance-identitywhich is unauthenticated. - With the stolen token access:
- Git SSH private key via
GET /workspaceagents/me/gitsshkey: push to repositories and impersonate the workspace owner. - OAuth access tokens via
GET /workspaceagents/me/external-auth: GitHub, GitLab, and Bitbucket tokens in plaintext. - Workspace secrets via the agent manifest: environment variables, file paths, and API keys.
- Git SSH private key via
Attack Path Diagram
Affected Versions
All versions of Coder v2 are affected.
Patches
Fixed in #25286
The fix was backported to all supported release lines:
| Patched Versions |
|---|
| v2.33.3 |
| v2.32.2 |
| v2.31.12 |
| v2.30.8 |
| v2.29.13 |
| v2.24.5 |
Workarounds
If unable to patch we recommend immediately reconfiguring any Azure templates to use token authentication rather than azure-instance-identity until the patch is released and you are fully upgraded.
- Modify the
coder_agent.authvalue to betoken. - Add
CODER_AGENT_TOKEN=${coder_agent.main.token}to the set of environment variables for the Coder Workspace Agent initialization script.
Recognition
We'd like to thank Ben Tran of calif.io and Anthropic’s Security Team (ANT-2026-22445) for independently disclosing this issue!
References
- WEB https://github.com/coder/coder/security/advisories/GHSA-6x44-w3xg-hqqf
- WEB https://github.com/coder/coder/pull/25286
- PACKAGE https://github.com/coder/coder
- WEB https://github.com/coder/coder/releases/tag/v2.24.5
- WEB https://github.com/coder/coder/releases/tag/v2.29.13
- WEB https://github.com/coder/coder/releases/tag/v2.30.8
- WEB https://github.com/coder/coder/releases/tag/v2.31.12
- WEB https://github.com/coder/coder/releases/tag/v2.32.2
- WEB https://github.com/coder/coder/releases/tag/v2.33.3
Ready to move
Start Securing
Free, no credit card | First findings in minutes