GHSA-6x44-w3xg-hqqf: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft
Summary
Coder's Azure identity verification has a critical flaw: it checks that a certificate comes from a trusted Azure authority but never verifies the actual PKCS#7 signature (a cryptographic stamp that proves data hasn't been tampered with). An attacker can forge identity data and steal session tokens that grant access to Git keys, OAuth tokens, and secrets. All Coder v2 versions are affected.
Solution / Mitigation
Update to patched versions: v2.33.3, v2.32.2, v2.31.12, v2.30.8, v2.29.13, or v2.24.5. If unable to patch immediately, reconfigure Azure templates to use token authentication instead of azure-instance-identity by setting coder_agent.auth to 'token' and adding CODER_AGENT_TOKEN=${coder_agent.main.token} to environment variables.
Vulnerability Details
EPSS: 0.0%
Yes
May 19, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-6x44-w3xg-hqqf
First tracked: May 19, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%