PatchSiren cyber security CVE debrief
CVE-2026-46354 coder CVE debrief
The CVE record for CVE-2026-46354 describes a critical vulnerability in Coder, a tool for provisioning remote development environments via Terraform. In versions prior to 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, the `azureidentity.Validate()` function fails to verify the PKCS#7 signature, allowing an attacker to embed a legitimate Azure certificate with arbitrary content. This could expose the victim's workspace agent session token. The attack requires knowledge of a target VM's `vmId`, a UUIDv4 value. Organizations should assess and patch the vulnerability to prevent potential session token exposure. The CVE was published on 2026-07-07T22:16:52.467Z and has not been modified since then. Further investigation is needed to fully understand the attack surface and potential impact.
- Vendor
- coder
- Product
- Unknown
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Organizations using Coder versions prior to 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 should assess and patch the vulnerability to prevent potential session token exposure. Operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability and implement necessary mitigations.
Technical summary
The Coder Terraform provisioner for remote development environments has a critical vulnerability. In versions prior to 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, the `azureidentity.Validate()` function verifies the PKCS#7 signer certificate chain to a trusted Azure CA but fails to verify the PKCS#7 signature itself. This allows an attacker to embed a legitimate Azure certificate with arbitrary content, potentially exposing the victim's workspace agent session token. The attack requires knowledge of a target VM's `vmId`, a UUIDv4 value.
Defensive priority
High priority due to the critical CVSS score of 9.1 and potential for session token exposure.
Recommended defensive actions
- Patch Coder to versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, or 2.33.3
- Reconfigure Azure templates to use token authentication instead of `azure-instance-identity`
- Monitor for suspicious activity related to workspace agent session tokens
- Inventory and verify the integrity of existing Coder environments
- Consider implementing compensating controls for Azure authentication
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record and NVD detail provide moderate information about the vulnerability. The source item URL and multiple source references offer additional context. However, further investigation is needed to fully understand the attack surface and potential impact. The evidence is limited, and defenders should verify the integrity of existing Coder environments and monitor for suspicious activity.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T22:16:52.467Z and has not been modified since then.