Remote Development Environment Vulnerability in Coder Products
CVE-2026-46354

9.1CRITICAL

Key Information:

Vendor

Coder

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-46354?

The Coder product provides capabilities for provisioning remote development environments through Terraform. In specific versions, the azureidentity.Validate() method improperly verifies PKCS#7 signer certificate chains against a trusted Azure CA without validating the PKCS#7 signature itself. This oversight allows an attacker, who only needs knowledge of a target VM's vmId, to craft a legitimate Azure certificate embedded with arbitrary content. As a result, the forged vmId may be accepted, granting the attacker unauthorized access to the victim's workspace agent's session token. Relevant versions have been updated to address this oversight, and users are advised to implement token authentication in their Azure templates as a temporary measure.

Affected Version(s)

coder >= 2.33.0-rc.0, < 2.33.3 < 2.33.0-rc.0, 2.33.3

coder >= 2.32.0-rc.0, < 2.32.2 < 2.32.0-rc.0, 2.32.2

coder >= 2.31.0, < 2.31.12 < 2.31.0, 2.31.12

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.