TokenTalks
← Back to feed

Update:

[MODERATE] GHSA-686c-7vgv-v3fx: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint

GitHub Security Advisory·Security·SecurityFix·5/19/2026

## Summary Unauthenticated semi-blind Server-Side Request Forgery (SSRF) via the Azure instance identity endpoint (`POST /api/v2/workspaceagents/azure-instance-identity`). An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submittin

Why it mattersgithub.com/coder/coder released an update. Review the changelog for relevant changes.

Who should careTeams using github.com/coder/coder.

github.com/coder/coder
View original source ↗

Source payload preview

{
  "ghsaId": "GHSA-686c-7vgv-v3fx",
  "summary": "Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint",
  "severity": "MODERATE",
  "updatedAt": "2026-05-19T19:53:55Z",
  "references": [
    {
      "url": "https://github.com/coder/coder/security/advisories/GHSA-686c-7vgv-v3fx"
    },
    {
      "url": "https://github.com/coder/coder/pull/25274"
    },
    {
      "url": "https://github.com/coder/coder/commit/57b11d405f17492aa789d4b9ff33366f961a37f8"
    },
    {
      "url": "https://github.com/coder/coder/releases/tag/v2.24.5"
    },
    {
      "url": "https://github.com/coder/coder/releases/tag/v2.29.13"
    },
    {
      "url": "https://github.com/coder/coder/releases/tag/v2.30.8"
    },
    {
      "url": "https://github.com/coder/coder/releases/tag/v2.31.12"
    },