CVE-2026-46354: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft
azureidentity.Validate() verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. {"vmId":"<target>"} and the forged vmId will be accepted returning the victim workspace agent’s session token.
No authentication is required. The attacker only needs to know a target VM’s vmId which is a UUIDv4.
that’s a practical limitation which would typically require prior access to be exploited
References
- github.com/advisories/GHSA-6x44-w3xg-hqqf
- github.com/coder/coder/pull/25286
- github.com/coder/coder/releases/tag/v2.24.5
- github.com/coder/coder/releases/tag/v2.29.13
- github.com/coder/coder/releases/tag/v2.30.8
- github.com/coder/coder/releases/tag/v2.31.12
- github.com/coder/coder/releases/tag/v2.32.2
- github.com/coder/coder/releases/tag/v2.33.3
- github.com/coder/coder/security/advisories/GHSA-6x44-w3xg-hqqf
- nvd.nist.gov/vuln/detail/CVE-2026-46354
Code Behaviors & Features
Detect and mitigate CVE-2026-46354 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →