GHSA-84rm-42xw-mx52: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration
Summary
Coder's AI Bridge Proxy had a security flaw where it disabled TLS certificate verification (the process that confirms a server's identity over encrypted connections) in its default configuration, meaning it would accept any certificate from the Coder server. An attacker positioned between the proxy and server could intercept sensitive data like session tokens and API keys. This only affects systems where the proxy and server are on separate machines; co-located systems using loopback connections are unaffected.
Solution / Mitigation
Apply the secure transport (TLS 1.2 or higher using system root CAs) unconditionally. Patched versions are available: v2.34.2 (for release line 2.34), v2.33.8 (for release line 2.33), and v2.32.7 (for release line 2.32). As a workaround, ensure the Coder access URL uses a trusted certificate and secure the network path between the AI Bridge Proxy and the Coder server, for example through loopback or mTLS (mutual TLS, where both sides verify each other's identity).
Vulnerability Details
EPSS: 0.0%
Yes
July 6, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-84rm-42xw-mx52
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%