{"data":{"id":"63452538-9bea-4ab4-9786-8aacd2205480","title":"GHSA-6x44-w3xg-hqqf: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft","summary":"Coder's Azure identity verification has a critical flaw: it checks that a certificate comes from a trusted Azure authority but never verifies the actual PKCS#7 signature (a cryptographic stamp that proves data hasn't been tampered with). An attacker can forge identity data and steal session tokens that grant access to Git keys, OAuth tokens, and secrets. All Coder v2 versions are affected.","solution":"Update to patched versions: v2.33.3, v2.32.2, v2.31.12, v2.30.8, v2.29.13, or v2.24.5. If unable to patch immediately, reconfigure Azure templates to use token authentication instead of azure-instance-identity by setting coder_agent.auth to 'token' and adding CODER_AGENT_TOKEN=${coder_agent.main.token} to environment variables.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-6x44-w3xg-hqqf","publishedAt":"2026-05-19T20:04:13.000Z","cveId":"CVE-2026-46354","cweIds":null,"cvssScore":null,"cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["github.com/coder/coder@<= 0.27.3","github.com/coder/coder/v2@< 2.24.5 (fixed: 2.24.5)","github.com/coder/coder/v2@>= 2.29.0, < 2.29.13 (fixed: 2.29.13)","github.com/coder/coder/v2@>= 2.30.0, < 2.30.8 (fixed: 2.30.8)","github.com/coder/coder/v2@>= 2.31.0, < 2.31.12 (fixed: 2.31.12)"],"affectedVendors":[],"affectedVendorsRaw":["Coder","Anthropic"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-19T20:04:13.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}