GHSA-3rw9-wmc8-8948: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token

August 28, 2025 (updated November 10, 2025)

If users log in to Coder via OIDC, and the OpenID Identity Provider does not return a refresh token, then Coder may allow their web session to continue beyond the expiration of the token returned by the OpenID Identity Provider.

References

github.com/advisories/GHSA-3rw9-wmc8-8948
github.com/coder/coder
github.com/coder/coder/commit/1a4160803589034ce1518e24a78f232c8d08f996
github.com/coder/coder/security/advisories/GHSA-3rw9-wmc8-8948

Code Behaviors & Features

Detect and mitigate GHSA-3rw9-wmc8-8948 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →