GHSA-9r87-mvcw-x35f: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass
Summary
Coder had two OIDC (OpenID Connect, a login standard) security flaws that could let an attacker take over a user's account: the system matched users by email without checking if the email was already linked to a different identity provider, and it didn't properly verify the `email_verified` claim (a flag stating whether the email was confirmed). An attacker who could sign in at the configured OIDC provider with a matching email could log in as the victim and access their workspaces and resources.
Solution / Mitigation
Update to patched versions: v2.34.2, v2.33.8, v2.32.7, or v2.29.17 depending on your release line. The fix restricts email-based linking to first-time and legacy connections and defaults `email_verified` to false when the claim is missing or has an unexpected format. Alternatively, configure your OIDC provider to disallow self-registration or require email verification before issuing tokens.
Vulnerability Details
EPSS: 0.0%
Yes
July 6, 2026
Classification
Affected Packages
Original source: https://github.com/advisories/GHSA-9r87-mvcw-x35f
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%