Skip to content

PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft

Critical
jdomeracki-coder published GHSA-6x44-w3xg-hqqf May 13, 2026

Package

gomod github.com/coder/coder/v2 (Go)

Affected versions

< 2.33.3; < 2.32.2; < 2.31.12; < 2.30.8; < 2.29.13; < 2.24.5

Patched versions

2.33.3; 2.32.2; 2.31.12; 2.30.8; 2.29.13; 2.24.5

Description

Summary

azureidentity.Validate() verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. {"vmId":"<target>"} and the forged vmId will be accepted returning the victim workspace agent's session token.

No authentication is required. The attacker only needs to know a target VM's vmId which is a UUIDv4.

that's a practical limitation which would typically require prior access to be exploited

Root Cause

In unpatched Coder releases the signature over the PKCS#7 content is not validated - only the signing certificate is checked.

Impact

An attacker on any Azure VM or with access to a publicly available Azure IMDS certificate from CT logs can:

  1. Steal an agent session token by sending a forged PKCS#7 envelope to POST /api/v2/workspaceagents/azure-instance-identity which is unauthenticated.
  2. With the stolen token access:
    • Git SSH private key via GET /workspaceagents/me/gitsshkey: push to repositories and impersonate the workspace owner.
    • OAuth access tokens via GET /workspaceagents/me/external-auth: GitHub, GitLab, and Bitbucket tokens in plaintext.
    • Workspace secrets via the agent manifest: environment variables, file paths, and API keys.

Attack Path Diagram

PKCS7_diagram (1)

Affected Versions

All versions of Coder v2 are affected.

Patches

Fixed in #25286

The fix was backported to all supported release lines:

Patched Versions
v2.33.3
v2.32.2
v2.31.12
v2.30.8
v2.29.13
v2.24.5

Workarounds

If unable to patch we recommend immediately reconfiguring any Azure templates to use token authentication rather than azure-instance-identity until the patch is released and you are fully upgraded.

  1. Modify the coder_agent.auth value to be token.
  2. Add CODER_AGENT_TOKEN=${coder_agent.main.token} to the set of environment variables for the Coder Workspace Agent initialization script.

Recognition

We'd like to thank Ben Tran of calif.io and Anthropic’s Security Team (ANT-2026-22445) for independently disclosing this issue!

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVE ID

CVE-2026-46354

Weaknesses

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data. Learn more on MITRE.

Credits