Authorization Bypass in Coder's AI Bridge Proxy for Terraform
CVE-2026-55435
5.4MEDIUM
What is CVE-2026-55435?
The Coder AI Bridge Proxy allows organizations to create remote development environments via Terraform. A flaw exists in versions 2.30.0 to 2.32.6 where the proxy endpoints fail to verify the suspended status of user accounts during API key authentication. As a result, API keys of suspended users remain valid, posing a risk until those keys are manually deleted. It's crucial to upgrade to versions 2.32.7, 2.33.8, or 2.34.2 to mitigate this issue. Users are advised to revoke API keys upon suspending accounts for added security.
Affected Version(s)
coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2
coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8
coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7
