GHSA-wqxv-w64v-5wh6: Suspended Coder users retain access to AI Bridge LLM proxy endpoints
Summary
A security flaw in Coder's AI Bridge (a proxy for accessing LLM services) allowed suspended users to keep using their existing API keys (authentication tokens) because the system didn't check if an account was suspended, only if the key itself was valid. This meant a suspended user could continue making expensive AI requests until their token expired, which could be months later.
Solution / Mitigation
The fix is available in patched versions: v2.34.2, v2.33.8, and v2.32.7. As a workaround before updating, administrators can immediately delete a suspended user's API keys by calling `DELETE /api/v2/users/{user}/keys` to revoke their access.
Vulnerability Details
EPSS: 0.0%
Yes
July 6, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-wqxv-w64v-5wh6
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%