Authorization Bypass in Coder's AI Bridge Proxy for Terraform
CVE-2026-55435

5.4MEDIUM

Key Information:

Vendor

Coder

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-55435?

The Coder AI Bridge Proxy allows organizations to create remote development environments via Terraform. A flaw exists in versions 2.30.0 to 2.32.6 where the proxy endpoints fail to verify the suspended status of user accounts during API key authentication. As a result, API keys of suspended users remain valid, posing a risk until those keys are manually deleted. It's crucial to upgrade to versions 2.32.7, 2.33.8, or 2.34.2 to mitigate this issue. Users are advised to revoke API keys upon suspending accounts for added security.

Affected Version(s)

coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2

coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8

coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.