CVE-2026-55435 in Coder
Summary
by MITRE • 07/07/2026
Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd/aibridgedserver`, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's unexpired token keeps working. Practical impact is limited to already-issued API keys of suspended users until those keys are deleted. Versions 2.32.7, 2.33.8, and 2.34.2 patch the issue. As a workaround, on suspension, delete the user's API keys via `DELETE /api/v2/users/{user}/keys`.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability described affects Coder's AI Bridge proxy endpoints where authentication relies on Server.IsAuthorized function within coderd/aibridgedserver component. This authentication mechanism validates key format, expiry, secret, and checks for deleted or system users but fails to verify account suspension status. The flaw represents a privilege escalation vulnerability that allows suspended users to continue operating within the system using previously issued API keys until those keys are explicitly revoked. This issue exists across multiple versions including 2.30.0 through 2.32.6, 2.33.7, and 2.34.1, creating a window of opportunity for unauthorized continued access by suspended accounts. The authentication flow does not incorporate account status validation during token verification, which constitutes a failure in principle of least privilege and proper access control implementation.
The technical implementation flaw stems from the absence of suspension status checks within the authentication validation process. When a user account is suspended, existing API keys remain functional despite the account being effectively disabled from normal operations. This creates a scenario where suspended users can continue to execute privileged actions through their valid tokens until those keys are manually deleted from the system. The vulnerability directly relates to CWE-668 which describes "Exposure of Resource to Wrong Sphere" and also aligns with ATT&CK technique T1548.003 for "Abuse of Cloud Infrastructure". The authentication mechanism treats all valid tokens equally regardless of account status, bypassing the intended security controls that should prevent suspended users from accessing system resources.
The operational impact of this vulnerability is significant within cloud development environments where account suspension is a standard security measure for managing user access. Suspended users may continue to provision and manage remote development environments, potentially accessing sensitive code repositories, infrastructure resources, or performing administrative operations. This represents a critical gap in the security model as it allows suspended users to maintain active sessions and execute actions that should be prohibited. The limited practical impact mentioned in the description is misleading since suspended accounts typically lose access to core functionality but this vulnerability allows continued access through API keys.
The patching versions 2.32.7, 2.33.8, and 2.34.2 address the issue by incorporating account suspension validation into the authentication process. This fix ensures that when Server.IsAuthorized validates tokens, it also verifies that the associated user account is not suspended. The recommended workaround of manually deleting API keys via DELETE /api/v2/users/{user}/keys provides an immediate mitigation strategy but requires active administrative intervention. Organizations should implement automated processes to clean up API keys upon suspension to prevent exploitation of this vulnerability. This remediation aligns with security best practices for maintaining access control integrity and demonstrates proper account lifecycle management in cloud environments where user accounts may be suspended or terminated. The fix addresses fundamental access control weaknesses that could be exploited by malicious actors or compromised accounts to maintain persistence within the system.