PatchSiren cyber security CVE debrief
CVE-2026-55076 coder CVE debrief
CVE-2026-55076 is a high-severity vulnerability in Coder, a platform for provisioning remote development environments via Terraform. The issue lies in the OIDC callback's handling of the `email_verified` claim. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's implementation used a direct Go `bool` type assertion for `email_verified`. If an Identity Provider (IdP) returned this claim as a non-boolean value (e.g., the string `false`) or omitted it, the assertion would fail open, treating the email as verified. This behavior, combined with an unconditional email-based account fallback, could enable an attacker to take over an account. The vulnerability has a CVSS score of 7.4 and is classified as HIGH.
- Vendor
- coder
- Product
- Unknown
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Organizations using Coder versions prior to 2.29.7, 2.32.7, 2.33.8, or 2.34.2 should be concerned about this vulnerability. Specifically, users who rely on OIDC callbacks for authentication and have not upgraded to the patched versions are at risk. Additionally, security teams responsible for monitoring and mitigating potential account takeover attacks should be aware of this issue.
Technical summary
The vulnerability in Coder's OIDC callback arises from the improper handling of the `email_verified` claim. Normally, this claim is expected to be a boolean value indicating whether the user's email has been verified by the Identity Provider (IdP). However, if the IdP returns this claim as a non-boolean value (such as a string) or omits it altogether, Coder's previous implementation would fail open. This means that even if the email was not verified, Coder would treat it as verified. This issue is exacerbated by Coder's unconditional email-based account fallback mechanism. An attacker could exploit this by manipulating the `email_verified` claim to gain unauthorized access to a user's account.
Defensive priority
High
Recommended defensive actions
- Upgrade to Coder version 2.29.7, 2.32.7, 2.33.8, or 2.34.2, or later.
- Ensure that the Identity Provider (IdP) returns `email_verified` as a native JSON boolean.
- Monitor for and respond to potential account takeover attempts.
- Review and update authentication and authorization configurations.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
Evidence notes
The CVE record was published on 2026-07-07T23:16:55.237Z and has not been modified since then. The NVD entry is currently 7.4 HIGH. The vulnerability in Coder's OIDC callback arises from the improper handling of the `email_verified` claim. Normally, this claim is expected to be a boolean value indicating whether the user's email has been verified by the Identity Provider (IdP). However, if the IdP returns this claim as a non-boolean value (such as a string) or omits it altogether, Coder's previous implementation would fail open. This means that even if the email was not verified, Coder would treat it as verified. The email-fallback linking issue has no configuration workaround; upgrading is required. As a workaround, ensure the IdP returns `email_verified` as a native JSON boolean.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T23:16:55.237Z and has not been modified since then.