CVE-2026-45796: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint
Unauthenticated semi-blind Server-Side Request Forgery (SSRF) via the Azure instance identity endpoint (POST /api/v2/workspaceagents/azure-instance-identity). An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submitting a crafted PKCS#7 signature. The server does not return the target’s response body, but error messages in the API response reveal whether the target is reachable and what type of failure occurred.
References
- github.com/advisories/GHSA-686c-7vgv-v3fx
- github.com/coder/coder/commit/57b11d405f17492aa789d4b9ff33366f961a37f8
- github.com/coder/coder/pull/25274
- github.com/coder/coder/releases/tag/v2.24.5
- github.com/coder/coder/releases/tag/v2.29.13
- github.com/coder/coder/releases/tag/v2.30.8
- github.com/coder/coder/releases/tag/v2.31.12
- github.com/coder/coder/releases/tag/v2.32.2
- github.com/coder/coder/releases/tag/v2.33.3
- github.com/coder/coder/security/advisories/GHSA-686c-7vgv-v3fx
- nvd.nist.gov/vuln/detail/CVE-2026-45796
Code Behaviors & Features
Detect and mitigate CVE-2026-45796 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →