← Back to feed
Update:
[CRITICAL] GHSA-6x44-w3xg-hqqf: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft
GitHub Security Advisory·Security·SecurityFix·5/19/2026
## Summary `azureidentity.Validate()` verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. `{"vmId":"<target>"}` and the forged `vmId` will be ac
Why it matters → github.com/coder/coder released an update. Review the changelog for relevant changes.
Who should care → Teams using github.com/coder/coder.
github.com/coder/coder
View original source ↗Source payload preview
{
"ghsaId": "GHSA-6x44-w3xg-hqqf",
"summary": "Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft",
"severity": "CRITICAL",
"updatedAt": "2026-05-19T20:04:16Z",
"references": [
{
"url": "https://github.com/coder/coder/security/advisories/GHSA-6x44-w3xg-hqqf"
},
{
"url": "https://github.com/coder/coder/pull/25286"
},
{
"url": "https://github.com/coder/coder/releases/tag/v2.24.5"
},
{
"url": "https://github.com/coder/coder/releases/tag/v2.29.13"
},
{
"url": "https://github.com/coder/coder/releases/tag/v2.30.8"
},
{
"url": "https://github.com/coder/coder/releases/tag/v2.31.12"
},
{
"url": "https://github.com/coder/coder/releases/tag/v2.32.2"
…