{"data":{"id":"2c52f6b5-18f7-4877-a23e-a41e2ad96b9a","title":"GHSA-75vm-6w67-gwvp: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking","summary":"Coder's OIDC (OpenID Connect, a login standard) authentication had a bug where it didn't properly check if an email was verified when the identity provider returned the verification status as a string or omitted it entirely, causing it to assume the email was verified by default. An attacker could use this flaw to take over someone's account by registering their email at a compatible identity provider without verifying it, then logging in through OIDC to gain access to the victim's Coder account.","solution":"Upgrade to one of the patched versions: v2.34.2 (for release line 2.34), v2.33.8 (for 2.33), v2.32.7 (for 2.32), or v2.29.17 (for 2.29 ESR). The fix properly handles the `email_verified` claim across boolean, string, and numeric types and blocks email-based account matching when the user already has a different linked identity provider. As a temporary workaround, ensure your identity provider returns `email_verified` as a native JSON boolean, though upgrading is still required to fully address the email-fallback linking issue.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-75vm-6w67-gwvp","publishedAt":"2026-07-06T20:50:35.000Z","cveId":"CVE-2026-55076","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":["github.com/coder/coder/v2@< 2.29.17 (fixed: 2.29.17)","github.com/coder/coder/v2@>= 2.30.0, < 2.32.7 (fixed: 2.32.7)","github.com/coder/coder/v2@>= 2.33.0, < 2.33.8 (fixed: 2.33.8)","github.com/coder/coder/v2@>= 2.34.0, < 2.34.2 (fixed: 2.34.2)"],"affectedVendors":[],"affectedVendorsRaw":["Coder","Anthropic"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-07-06T20:50:35.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.72,"researchCategory":null,"atlasIds":null}}