CVE-2026-55075 in Coder
Summary
by MITRE • 07/08/2026
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the `email_verified` claim was only enforced when present as a boolean `false` so an absent or non-boolean claim was treated as verified. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 restricts the email fallback to first-time and legacy linking and defaults `email_verified` to false when the claim is absent or of an unexpected type. As a workaround, configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability in Coder's OpenID Connect authentication system represents a critical account takeover risk that emerged from two interconnected flaws in the identity provisioning process. This issue affected organizations using Coder's remote development environments provisioned through Terraform, creating a dangerous scenario where attackers could potentially assume control of user accounts through manipulation of the authentication flow. The vulnerability specifically impacted versions prior to 2.29.7, 2.32.7, 2.33.8, and 2.34.2, highlighting the importance of timely security updates in cloud infrastructure platforms.
The technical flaw stems from improper handling of user identity mapping during OIDC authentication flows. When users authenticated through external identity providers, Coder's system would attempt to match existing accounts based on email addresses as a fallback mechanism when direct subject identifier matching failed. This email-based matching process lacked proper validation to ensure that an email address was not already associated with a different identity provider subject, creating a potential for account consolidation attacks where malicious actors could link their credentials to existing legitimate accounts. Additionally, the system's interpretation of the email_verified claim demonstrated a dangerous default behavior where absent or improperly formatted claims were treated as verified, bypassing crucial security checks that should validate user email ownership.
The operational impact of this vulnerability extends beyond simple authentication bypasses, creating potential for privilege escalation and unauthorized access to development environments. Attackers could exploit these flaws by registering accounts through one identity provider and then manipulating the authentication flow to associate those credentials with existing legitimate user accounts, effectively enabling them to impersonate authorized users. This type of vulnerability directly aligns with CWE-287 (Improper Authentication) and represents a significant deviation from secure authentication practices that require explicit verification of user identities before granting access privileges.
The security implications of this vulnerability extend into the realm of identity management and access control, where proper account linking mechanisms should prevent cross-provider account consolidation without explicit user consent. The fix implemented in the patched versions addresses both aspects of the vulnerability by restricting email-based fallback mechanisms to only first-time registrations and legacy account scenarios, while also implementing a default false value for the email_verified claim when the claim is absent or malformed. This approach aligns with ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) and demonstrates proper defense-in-depth principles by implementing multiple layers of verification.
Organizations affected by this vulnerability should implement immediate mitigations to prevent exploitation while awaiting patch deployment. The recommended workaround involves configuring the OIDC provider to either disable self-registration capabilities or require explicit email verification before issuing authentication tokens, effectively preventing the account takeover scenario from occurring. These measures should be implemented alongside regular security monitoring and access reviews to ensure that unauthorized access attempts are detected and mitigated promptly. The vulnerability serves as a reminder of the critical importance of proper identity validation in distributed systems and the potential consequences of insufficient authentication controls in cloud-based development platforms.