Unauthenticated SSRF Vulnerability in Coder by Coder Technologies
CVE-2026-45796

6.5MEDIUM

Key Information:

Vendor

Coder

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-45796?

Organizations using Coder for provisioning remote development environments via Terraform may be vulnerable due to an unauthenticated semi-blind SSRF flaw. Attackers can exploit this by submitting a crafted PKCS#7 signature to the Azure instance identity endpoint. Although the server does not return the response body from the target, it provides error messages, indicating whether the intended target is accessible. To mitigate this risk, organizations should either upgrade to safe versions or restrict access to the vulnerable endpoint when not using the Azure identity-auth mechanism.

Affected Version(s)

coder >= 2.33.0-rc.0, < 2.33.3 < 2.33.0-rc.0, 2.33.3

coder >= 2.32.0-rc.0, < 2.32.2 < 2.32.0-rc.0, 2.32.2

coder >= 2.31.0, < 2.31.12 < 2.31.0, 2.31.12

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.