External risk intelligence

Coder Azure Identity Validation Vulnerability Allows Session Token Theft.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-46354

Coder is a platform designed to host and manage remote development environments. These platforms are commonly deployed as internet-facing or edge services to allow developers access to their workspaces from remote locations, making the underlying provisioning and authentication endpoints likely to be reachable from the internet in many deployments.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in the Coder platform, which is used for provisioning remote development environments. This issue could allow an attacker to embed malicious content within a legitimate certificate, potentially leading to unauthorized access to session tokens. The primary concern is to confirm if our organization utilizes this specific technology and is exposed.

  • Unchecked certificate signatures could expose sensitive tokens.
  • Understand exposure; confirm relevance for Coder environments.
  • Prioritize assessing Coder's use and potential impact.

Attack Path

How an attacker could exploit the issue

An attacker could target a remote development environment provisioned by Coder. By crafting a malicious PKCS#7 signature with a legitimate Azure certificate and a fabricated virtual machine ID, an attacker could trick the `azureidentity.Validate()` function. This vulnerability, which does not require authentication, could then lead to the exposure of a victim workspace agent's session token.

  • Attacker needs target VM ID.
  • Signature validation bypass.
  • Session token theft risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to embed malicious content within a PKCS#7 certificate, tricking the system into accepting a forged VM ID. If successful, the attacker could obtain the victim workspace agent's session token without authentication, provided they know the target VM's UUIDv4.

  • Session tokens could be exposed.
  • Unauthenticated embedding of malicious content.
  • Unauthorized access to workspace agent.

Operational Fix

Recommended remediation, mitigation, and detection steps

The platform and infrastructure teams are likely responsible for managing Coder and its Terraform configurations. The initial focus should be on identifying all instances of Coder, determining their reachability and criticality, and then verifying the accountable owner for remediation or applying the vendor-provided workaround.

  • Platform/Infrastructure teams own the issue.
  • Verify Coder instances and their exposure.
  • Plan remediation or apply workaround.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Coder and what is it used for?

Coder is an infrastructure platform that enables organizations to provision and manage remote development environments using Terraform. It allows engineering teams to standardize their coding setups in the cloud, centralizing workspace management and access so that developers can connect to their project environments from virtually anywhere.

What does CVE-2026-46354 mean in plain English?

This vulnerability, classified as Improper Verification of Cryptographic Signature (CWE-347), occurs when Coder fails to check the actual digital signature of a certificate. While the software confirms a certificate chain is trusted by Azure, it does not verify the signature content itself. This flaw allows an attacker to present a legitimate Azure certificate alongside forged data to trick the system into granting unauthorized access to a workspace session token.

How is this vulnerability triggered?

An attacker triggers this by submitting a crafted request containing a valid Azure certificate paired with a falsified VM ID. The system accepts this forged identity because it ignores the signature integrity. Note that simply interacting with the platform does not trigger the bug; the attacker must already possess the specific UUIDv4 of a target virtual machine to successfully impersonate it and steal the corresponding session token.

Is my organization at risk from CVE-2026-46354?

Risk depends on how your Coder environment is deployed. According to Halo Surface Signal, because Coder is often used as an internet-facing or edge service to support remote developers, the authentication endpoints affected by this flaw are frequently reachable from the internet. If your instance is exposed to the public network, the likelihood of an attacker attempting this bypass increases significantly compared to isolated internal deployments.

What should I do to address this issue?

The most effective response is to update your Coder installation to one of the patched versions released by the vendor, such as 2.33.3 or other specific versions identified in the advisory. If an immediate update is not possible, you should reconfigure your Azure templates to use token-based authentication instead of the vulnerable azure-instance-identity method to prevent unauthorized access.

References