CVE-2024-27918 in Coder
Summary
by MITRE • 03/21/2024
Coder allows oragnizations to provision remote development environments via Terraform. Prior to versions 2.6.1, 2.7.3, and 2.8.4, a vulnerability in Coder's OIDC authentication could allow an attacker to bypass the `CODER_OIDC_EMAIL_DOMAIN` verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider. During OIDC registration, the user's email was improperly validated against the allowed `CODER_OIDC_EMAIL_DOMAIN`s. This could allow a user with a domain that only partially matched an allowed domain to successfully login or register. An attacker could register a domain name that exploited this vulnerability and register on a Coder instance with a public OIDC provider.
Coder instances with OIDC enabled and protected by the `CODER_OIDC_EMAIL_DOMAIN` configuration are affected. Coder instances using a private OIDC provider are not affected, as arbitrary users cannot register through a private OIDC provider without first having an account on the provider. Public OIDC providers are impacted. GitHub authentication and external authentication are not impacted. This vulnerability is remedied in versions 2.8.4, 2.7.3, and 2.6.1 All versions prior to these patches are affected by the vulnerability.*It is recommended that customers upgrade their deployments as soon as possible if they are utilizing OIDC authentication with the `CODER_OIDC_EMAIL_DOMAIN` setting.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/05/2025
The vulnerability identified as CVE-2024-27918 affects Coder platforms that utilize OpenID Connect (OIDC) authentication for provisioning remote development environments through Terraform. This security flaw resides in the validation logic governing email domain restrictions within the OIDC authentication flow, specifically impacting deployments where the `CODER_OIDC_EMAIL_DOMAIN` configuration is used to limit access to authorized email domains. The vulnerability represents a critical authorization bypass issue that undermines the intended security controls designed to restrict user access based on email domain membership.
The technical implementation flaw stems from improper email validation during the OIDC registration process where the system fails to perform strict domain matching against the allowed email domains specified in the `CODER_OIDC_EMAIL_DOMAIN` configuration. This weakness allows attackers to exploit partial domain matching logic, enabling registration of accounts with email addresses from domains that are not explicitly included in the allowlist. The vulnerability specifically affects deployments using public OIDC providers where users can self-register, creating a pathway for malicious actors to register accounts using domains that partially match allowed domains through clever domain manipulation techniques. This behavior violates the expected security boundary enforcement and creates unauthorized access opportunities for threat actors.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables attackers to potentially establish persistent footholds within development environments managed by Coder platforms. Organizations utilizing public OIDC providers with domain-based access controls are particularly at risk since the vulnerability allows attackers to register accounts using domain names that exploit the partial matching logic. The vulnerability affects versions prior to 2.6.1, 2.7.3, and 2.8.4, with the specific technical weakness lying in how the system processes and validates email addresses during the authentication handshake. This flaw can be categorized under CWE-287 (Improper Authentication) and aligns with ATT&CK techniques related to credential access and privilege escalation through authentication bypass methods.
Security practitioners should note that this vulnerability is not present in deployments using private OIDC providers where user registration requires pre-existing accounts on the provider's system, making the attack surface significantly more limited in such environments. The remediation requires immediate upgrade to patched versions 2.8.4, 2.7.3, or 2.6.1, as the vulnerability affects all versions prior to these releases. Organizations should conduct immediate assessment of their OIDC configurations and consider implementing additional monitoring for suspicious registration patterns. The vulnerability demonstrates the critical importance of proper input validation and domain matching logic in authentication systems, particularly when implementing access control mechanisms that rely on email domain restrictions. This issue highlights the necessity of thorough testing of authentication flows and the potential for subtle validation flaws to create significant security risks in cloud development platforms.