OIDC Login Vulnerability in Coder Remote Development Environment
CVE-2026-55075
What is CVE-2026-55075?
The Coder platform, which facilitates the provisioning of remote development environments, has two significant flaws in its OpenID Connect (OIDC) login mechanism. These vulnerabilities allow an adversary to exploit email-based user matching, as the system lacks proper checks for pre-existing links to different identity providers (IdPs). Additionally, the 'email_verified' claim is inadequately enforced, enabling scenarios where an absent or non-boolean claim could be wrongly interpreted as verified. To mitigate risks, Coder has released updates to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, which modify this fallback mechanism and default the email_verified field to false for ambiguous cases. Organizations are advised to implement configurations that disallow self-registration or mandate email verification prior to issuing tokens for added safety.
Affected Version(s)
coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2
coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8
coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7
