Fluid Attacks Database

Description

Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft

Summary

azureidentity.Validate() verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. {"vmId":"<target>"} and the forged vmId will be accepted returning the victim workspace agent's session token.

No authentication is required. The attacker only needs to know a target VM's vmId which is a UUIDv4.

that's a practical limitation which would typically require prior access to be exploited

Root Cause

In unpatched Coder releases the signature over the PKCS#7 content is not validated - only the signing certificate is checked.

Impact

An attacker on any Azure VM or with access to a publicly available Azure IMDS certificate from CT logs can:

Steal an agent session token by sending a forged PKCS#7 envelope to POST /api/v2/workspaceagents/azure-instance-identity which is unauthenticated.

With the stolen token access:

Git SSH private key via GET /workspaceagents/me/gitsshkey: push to repositories and impersonate the workspace owner.

OAuth access tokens via GET /workspaceagents/me/external-auth: GitHub, GitLab, and Bitbucket tokens in plaintext.

Workspace secrets via the agent manifest: environment variables, file paths, and API keys.

Attack Path Diagram

Affected Versions

All versions of Coder v2 are affected.

Patches

Fixed in #25286

The fix was backported to all supported release lines:

Patched Versions
v2.33.3
v2.32.2
v2.31.12
v2.30.8
v2.29.13
v2.24.5

Workarounds

If unable to patch we recommend immediately reconfiguring any Azure templates to use token authentication rather than azure-instance-identity until the patch is released and you are fully upgraded.

Modify the coder_agent.auth value to be token.

Add CODER_AGENT_TOKEN=${coder_agent.main.token} to the set of environment variables for the Coder Workspace Agent initialization script.

Recognition

We'd like to thank Ben Tran of calif.io and Anthropic’s Security Team (ANT-2026-22445) for independently disclosing this issue!

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/coder/coder/v2	>=2.33.0-rc.0 <2.33.3 \|\| >=2.32.0-rc.0 <2.32.2 \|\| >=2.31.0 <2.31.12 \|\| >=2.30.0 <2.30.8 \|\| >=2.29.0 <2.29.13 \|\| >=0 <2.24.5	2.33.3, 2.32.2, 2.31.12, 2.30.8, 2.29.13, 2.24.5
go	github.com/coder/coder	>=0 <=0.27.3	-

Aliases

1. CVE-2026-463542. NVD-2026-463543. OSV-2026-463544. GHSA-6x44-w3xg-hqqf5. GCVE-2026-46354

References

1. https://github.com/coder/coder/security/advisories/GHSA-6x44-w3xg-hqqf2. https://github.com/coder/coder/pull/252863. https://github.com/coder/coder/releases/tag/v2.24.54. https://github.com/coder/coder/releases/tag/v2.29.135. https://github.com/coder/coder/releases/tag/v2.30.86. https://github.com/coder/coder/releases/tag/v2.31.127. https://github.com/coder/coder/releases/tag/v2.32.28. https://github.com/coder/coder/releases/tag/v2.33.3