CVE-2026-55435: Suspended Coder users retain access to AI Bridge LLM proxy endpoints
AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user’s unexpired token keeps working.
Note: Practical impact is limited to already-issued API keys of suspended users until those keys are deleted.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-55435 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →