PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55076 coder CVE debrief

CVE-2026-55076 is a high-severity vulnerability in Coder, a platform for provisioning remote development environments via Terraform. The issue lies in the OIDC callback's handling of the `email_verified` claim. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's implementation used a direct Go `bool` type assertion for `email_verified`. If an Identity Provider (IdP) returned this claim as a non-boolean value (e.g., the string `false`) or omitted it, the assertion would fail open, treating the email as verified. This behavior, combined with an unconditional email-based account fallback, could enable an attacker to take over an account. The vulnerability has a CVSS score of 7.4 and is classified as HIGH.

Vendor
coder
Product
Unknown
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Organizations using Coder versions prior to 2.29.7, 2.32.7, 2.33.8, or 2.34.2 should be concerned about this vulnerability. Specifically, users who rely on OIDC callbacks for authentication and have not upgraded to the patched versions are at risk. Additionally, security teams responsible for monitoring and mitigating potential account takeover attacks should be aware of this issue.

Technical summary

The vulnerability in Coder's OIDC callback arises from the improper handling of the `email_verified` claim. Normally, this claim is expected to be a boolean value indicating whether the user's email has been verified by the Identity Provider (IdP). However, if the IdP returns this claim as a non-boolean value (such as a string) or omits it altogether, Coder's previous implementation would fail open. This means that even if the email was not verified, Coder would treat it as verified. This issue is exacerbated by Coder's unconditional email-based account fallback mechanism. An attacker could exploit this by manipulating the `email_verified` claim to gain unauthorized access to a user's account.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Coder version 2.29.7, 2.32.7, 2.33.8, or 2.34.2, or later.
  • Ensure that the Identity Provider (IdP) returns `email_verified` as a native JSON boolean.
  • Monitor for and respond to potential account takeover attempts.
  • Review and update authentication and authorization configurations.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.

Evidence notes

The CVE record was published on 2026-07-07T23:16:55.237Z and has not been modified since then. The NVD entry is currently 7.4 HIGH. The vulnerability in Coder's OIDC callback arises from the improper handling of the `email_verified` claim. Normally, this claim is expected to be a boolean value indicating whether the user's email has been verified by the Identity Provider (IdP). However, if the IdP returns this claim as a non-boolean value (such as a string) or omits it altogether, Coder's previous implementation would fail open. This means that even if the email was not verified, Coder would treat it as verified. The email-fallback linking issue has no configuration workaround; upgrading is required. As a workaround, ensure the IdP returns `email_verified` as a native JSON boolean.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T23:16:55.237Z and has not been modified since then.