PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46354 coder CVE debrief

The CVE record for CVE-2026-46354 describes a critical vulnerability in Coder, a tool for provisioning remote development environments via Terraform. In versions prior to 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, the `azureidentity.Validate()` function fails to verify the PKCS#7 signature, allowing an attacker to embed a legitimate Azure certificate with arbitrary content. This could expose the victim's workspace agent session token. The attack requires knowledge of a target VM's `vmId`, a UUIDv4 value. Organizations should assess and patch the vulnerability to prevent potential session token exposure. The CVE was published on 2026-07-07T22:16:52.467Z and has not been modified since then. Further investigation is needed to fully understand the attack surface and potential impact.

Vendor
coder
Product
Unknown
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Organizations using Coder versions prior to 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 should assess and patch the vulnerability to prevent potential session token exposure. Operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability and implement necessary mitigations.

Technical summary

The Coder Terraform provisioner for remote development environments has a critical vulnerability. In versions prior to 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, the `azureidentity.Validate()` function verifies the PKCS#7 signer certificate chain to a trusted Azure CA but fails to verify the PKCS#7 signature itself. This allows an attacker to embed a legitimate Azure certificate with arbitrary content, potentially exposing the victim's workspace agent session token. The attack requires knowledge of a target VM's `vmId`, a UUIDv4 value.

Defensive priority

High priority due to the critical CVSS score of 9.1 and potential for session token exposure.

Recommended defensive actions

  • Patch Coder to versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, or 2.33.3
  • Reconfigure Azure templates to use token authentication instead of `azure-instance-identity`
  • Monitor for suspicious activity related to workspace agent session tokens
  • Inventory and verify the integrity of existing Coder environments
  • Consider implementing compensating controls for Azure authentication
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record and NVD detail provide moderate information about the vulnerability. The source item URL and multiple source references offer additional context. However, further investigation is needed to fully understand the attack surface and potential impact. The evidence is limited, and defenders should verify the integrity of existing Coder environments and monitor for suspicious activity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T22:16:52.467Z and has not been modified since then.