Unauthenticated SSRF Vulnerability in Coder by Coder Technologies
CVE-2026-45796
6.5MEDIUM
What is CVE-2026-45796?
Organizations using Coder for provisioning remote development environments via Terraform may be vulnerable due to an unauthenticated semi-blind SSRF flaw. Attackers can exploit this by submitting a crafted PKCS#7 signature to the Azure instance identity endpoint. Although the server does not return the response body from the target, it provides error messages, indicating whether the intended target is accessible. To mitigate this risk, organizations should either upgrade to safe versions or restrict access to the vulnerable endpoint when not using the Azure identity-auth mechanism.
Affected Version(s)
coder >= 2.33.0-rc.0, < 2.33.3 < 2.33.0-rc.0, 2.33.3
coder >= 2.32.0-rc.0, < 2.32.2 < 2.32.0-rc.0, 2.32.2
coder >= 2.31.0, < 2.31.12 < 2.31.0, 2.31.12
