PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55075 coder CVE debrief

CVE-2026-55075 involves Coder, a platform for provisioning remote development environments via Terraform. A critical vulnerability was found in its OIDC login mechanism, which could lead to account takeover. The issue arises from two main flaws: firstly, email-based user matching could fall back to linking by email without properly checking for an existing link to a different IdP subject; secondly, the 'email_verified' claim was only enforced when present as a boolean 'false', meaning an absent or non-boolean claim was treated as verified. These vulnerabilities existed prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 of Coder. The fix restricts the email fallback to first-time and legacy linking and defaults 'email_verified' to false when the claim is absent or of an unexpected type. As a temporary workaround, configuring the OIDC provider to disallow self-registration or to require email verification before issuing tokens can mitigate the risk.

Vendor
coder
Product
Unknown
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Organizations using Coder for remote development environments, especially those relying on OIDC for authentication, should be aware of this vulnerability. It's crucial for them to update to the patched versions to prevent potential account takeovers.

Technical summary

The vulnerability in Coder's OIDC login mechanism could allow attackers to take over user accounts. This is due to improper handling of email verification and linking of user accounts across different Identity Providers (IdPs). The issue has been addressed in Coder versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 by enhancing the email fallback process and ensuring 'email_verified' claims are properly evaluated.

Defensive priority

High

Recommended defensive actions

  • Update Coder to versions 2.29.7, 2.32.7, 2.33.8, or 2.34.2 or later.
  • Configure OIDC provider to disallow self-registration.
  • Require email verification before issuing tokens.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. Additional references include GitHub pull requests and release notes related to the fix. To verify, defenders should check the official advisory and assess their environments for potential exposure, especially focusing on OIDC login configurations and email verification processes.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T22:16:53.650Z and has not been modified since then.