OIDC Login Vulnerability in Coder Remote Development Environment
CVE-2026-55075

7.4HIGH

Key Information:

Vendor

Coder

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-55075?

The Coder platform, which facilitates the provisioning of remote development environments, has two significant flaws in its OpenID Connect (OIDC) login mechanism. These vulnerabilities allow an adversary to exploit email-based user matching, as the system lacks proper checks for pre-existing links to different identity providers (IdPs). Additionally, the 'email_verified' claim is inadequately enforced, enabling scenarios where an absent or non-boolean claim could be wrongly interpreted as verified. To mitigate risks, Coder has released updates to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, which modify this fallback mechanism and default the email_verified field to false for ambiguous cases. Organizations are advised to implement configurations that disallow self-registration or mandate email verification prior to issuing tokens for added safety.

Affected Version(s)

coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2

coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8

coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7

References

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.