Signature Bypass Alert: Critical Coder Flaw (CVE-2026-46354) Exposes Git Keys and Developer Tokens

Coder, the prominent self-hosted platform used by enterprises to build cloud development environments and manage AI coding agents, has patched a critical security flaw. Tracked as CVE-2026-46354, the vulnerability carries a severe CVSS base score of 9.1, representing an immediate threat to organizations leveraging Azure-based developer infrastructure.

The flaw exposes a fundamental verification breakdown inside Coder’s identity validation logic, allowing entirely unauthenticated, remote attackers to steal workspace session tokens and walk away with plaintext OAuth credentials, private Git keys, and corporate secrets.

At the center of Coder’s infrastructure, workspaces are defined natively using Terraform, maintaining secure communication pipelines through Wireguard tunnels. For environments hosted on Microsoft Azure, Coder utilizes Azure Instance Metadata Service (IMDS) identity structures—specifically leveraging PKCS#7 cryptographic envelopes—to verify that an initializing Coder Agent is running on a legitimate, authorized virtual machine.

The security breakdown occurs inside Coder’s internal validation routine: azureidentity.Validate().

When an agent attempts to register, this function diligently checks that the attached PKCS#7 signing certificate chains back to a trusted, authentic Azure Certificate Authority (CA). However, it forgets the most critical step of the cryptographic handshake. As the advisory details:

“azureidentity.Validate() verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. In unpatched Coder releases the signature over the PKCS#7 content is not validated – only the signing certificate is checked.”

This means the application validates the legitimacy of the passport, but completely fails to check if the photo inside has been altered. An attacker can simply take a real, publicly available Azure IMDS certificate—which can be easily retrieved from public Certificate Transparency (CT) logs—and paste it right alongside completely arbitrary, fabricated content.

Because the underlying signature isn’t verified, executing the exploit requires absolutely zero authentication. The only prerequisite for a threat actor is acquiring a target virtual machine’s unique vmid (Virtual Machine Identifier), which is formatted as a standard UUIDv4 string.

An attacker constructs a forged PKCS#7 envelope containing a fake JSON body mapping out the target’s identifier: {“vmid”:”<target>”}. They then fire this payload directly at an unauthenticated backend endpoint:

POST /api/v2/workspaceagents/azure-instance-identity   

Coder’s validation function parses the packet, confirms the certificate belongs to Azure, skips the signature check, and accepts the forged data as absolute truth. The server then responds by handing the attacker the active session token belonging to the victim’s workspace agent.

Once an adversary holds a hijacked workspace agent token, Coder’s robust integration ecosystem inadvertently becomes a goldmine for lateral movement and supply chain compromise. Using the stolen token, the attacker can interact with the server’s endpoints to harvest three high-value asset classes:

• Plaintext OAuth Tokens: By querying GET /workspaceagents/me/external-auth, the attacker can exfiltrate active, plaintext access tokens for external code registries, including GitHub, GitLab, and Bitbucket.
• Git SSH Private Keys: Via GET /workspaceagents/me/gitsshkey, the attacker can lift private keys to impersonate the workspace owner, granting them the ability to read or push unauthorized commits straight into upstream repositories.
• Workspace Secrets: By pulling down the raw agent manifest, threat actors gain immediate visibility into hardcoded environment variables, localized system file paths, and enterprise API keys.

The vulnerability casts a wide net, compromising all versions of Coder v2.

The Coder development team has officially resolved the flaw under pull request #25286. The core security fix has been successfully backported across all supported release branches. Administrators must update their deployments to or past the following patched baselines immediately: v2.33.3, v2.32.2, v2.31.12, v2.30.8, v2.29.13, and v2.24.5

If production constraints prevent immediate patching, security teams should implement a temporary configuration workaround to shut down the vulnerable Azure authentication channel entirely. Coder recommends modifying the active Azure architecture templates to enforce token authentication over instance identity:

1. Modify the coder_agent.auth value to be token.
2. Add CODER_AGENT_TOKEN=${coder_agent.main.token} to the set of environment variables for the Coder Workspace Agent initialization script.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.