Remote Development Environment Vulnerability in Coder Products
CVE-2026-46354
What is CVE-2026-46354?
The Coder product provides capabilities for provisioning remote development environments through Terraform. In specific versions, the azureidentity.Validate() method improperly verifies PKCS#7 signer certificate chains against a trusted Azure CA without validating the PKCS#7 signature itself. This oversight allows an attacker, who only needs knowledge of a target VM's vmId, to craft a legitimate Azure certificate embedded with arbitrary content. As a result, the forged vmId may be accepted, granting the attacker unauthorized access to the victim's workspace agent's session token. Relevant versions have been updated to address this oversight, and users are advised to implement token authentication in their Azure templates as a temporary measure.
Affected Version(s)
coder >= 2.33.0-rc.0, < 2.33.3 < 2.33.0-rc.0, 2.33.3
coder >= 2.32.0-rc.0, < 2.32.2 < 2.32.0-rc.0, 2.32.2
coder >= 2.31.0, < 2.31.12 < 2.31.0, 2.31.12
