CVE-2026-45796 in Coderinfo

Summary

by MITRE • 07/08/2026

Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery (SSRF) via the Azure instance identity endpoint (`POST /api/v2/workspaceagents/azure-instance-identity`). An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submitting a crafted PKCS#7 signature. The server does not return the target's response body, but error messages in the API response reveal whether the target is reachable and what type of failure occurred. Versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 patch the issue. As a workaround, if the Azure identity-auth mechanism is not being used then restrict access to the corresponding endpoint (`/api/v2/workspaceagents/azure-instance-identity`) using ingress firewall and/or proxy ACLs.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability affects Coder platform versions prior to specific patched releases, creating a significant security risk through an unauthenticated semi-blind server-side request forgery flaw in the Azure instance identity endpoint. This issue exists within the POST /api/v2/workspaceagents/azure-instance-identity endpoint which processes PKCS#7 signatures without proper validation of the underlying requests. The flaw allows external attackers to force the Coder server to make HTTP GET requests to arbitrary targets, effectively enabling them to probe internal networks and potentially discover sensitive systems or services that would otherwise be hidden from external view. This represents a critical weakness in the platform's access controls and request handling mechanisms.

The technical implementation of this vulnerability stems from insufficient validation of PKCS#7 signatures during the Azure identity authentication process. When an attacker submits a crafted signature, the system processes it through the Azure instance identity endpoint without adequate sanitization or verification of the target addresses within the signature structure. The server's response behavior reveals crucial information about network reachability and failure types through error messages that indicate whether targets are accessible or what specific connection problems occurred. This semi-blind nature means while complete response data is not returned, enough information leaks to allow attackers to perform reconnaissance activities such as port scanning or service identification against internal systems.

The operational impact of this vulnerability extends beyond simple network probing as it enables attackers to potentially map internal network topologies and identify running services behind firewalls. The flaw particularly affects organizations that rely on Azure identity mechanisms for their development environments, creating a vector through which external adversaries could gain intelligence about internal infrastructure without requiring authentication or privileged access. This reconnaissance capability can serve as a foundation for more sophisticated attacks targeting other system components within the organization's network ecosystem. The vulnerability is especially concerning in cloud-native environments where Coder instances may have elevated privileges and access to sensitive internal resources.

Mitigation strategies include immediate deployment of patched versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 which address the core validation issue in the Azure identity endpoint processing. Organizations should also implement network-level restrictions by blocking access to the vulnerable endpoint using ingress firewalls or proxy ACLs when Azure identity authentication is not actively required. This workaround approach aligns with principle of least privilege practices and reduces the attack surface for this specific vulnerability category. The flaw maps directly to CWE-918 Server-Side Request Forgery and falls under ATT&CK technique T1071.004 Application Layer Protocol: DNS, as it enables attackers to leverage legitimate authentication mechanisms for reconnaissance purposes while maintaining operational security through the semi-blind response characteristics of the vulnerability.

Additional defensive measures include implementing network segmentation to isolate Coder instances from critical internal systems, monitoring for unusual patterns in Azure identity endpoint usage, and conducting regular security assessments of cloud infrastructure components. Organizations should also consider implementing API rate limiting and request validation controls to prevent abuse of authentication endpoints. The vulnerability demonstrates the importance of validating all inputs from authentication mechanisms and properly isolating trusted internal services from potentially malicious external requests. This issue highlights the need for comprehensive security testing of cloud platform integrations and proper handling of certificate-based authentication flows in distributed system architectures.

Responsible

GitHub M

Reservation

05/13/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!