CVE-2026-55075

Source
https://cve.org/CVERecord?id=CVE-2026-55075
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55075.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55075
Aliases
Published
2026-07-07T21:33:38.189Z
Modified
2026-07-09T04:00:57.666391013Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass
Details

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the email_verified claim was only enforced when present as a boolean false so an absent or non-boolean claim was treated as verified. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 restricts the email fallback to first-time and legacy linking and defaults email_verified to false when the claim is absent or of an unexpected type. As a workaround, configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55075.json",
    "cwe_ids": [
        "CWE-287",
        "CWE-289"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/coder/coder

Affected ranges

Type
GIT
Repo
https://github.com/coder/coder
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "2.34.0"
        },
        {
            "fixed": "2.34.2"
        },
        {
            "introduced": "2.33.0"
        },
        {
            "fixed": "2.33.8"
        },
        {
            "introduced": "2.30.0"
        },
        {
            "fixed": "2.32.7"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "2.29.17"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

Other
rm
v0.*
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.12.4
v0.12.5
v0.12.6
v0.12.7
v0.12.8
v0.12.9
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.13.4
v0.13.5
v0.13.6
v0.14.0
v0.14.1
v0.14.2
v0.14.3
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.18.0
v0.18.1
v0.19.0
v0.19.1
v0.19.2
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.21.2
v0.21.3
v0.22.0
v0.22.1
v0.22.2
v0.23.0
v0.23.1
v0.23.2
v0.23.3
v0.23.4
v0.23.5
v0.23.6
v0.23.7
v0.24.0
v0.24.1
v0.25.0
v0.26.0
v0.26.1
v0.26.2
v0.27.0
v0.27.1
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.5.0
v0.5.1
v0.5.10
v0.5.11
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.7.0
v0.7.1
v0.7.10
v0.7.11
v0.7.12
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.7.8
v0.7.9
v0.8.0
v0.8.1
v0.8.10
v0.8.11
v0.8.12
v0.8.13
v0.8.14
v0.8.15
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.8.9
v0.9.0
v0.9.1
v0.9.10
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9
v2.*
v2.0.2
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.10.0
v2.2.1
v2.29.0
v2.29.1
v2.29.10
v2.29.11
v2.29.12
v2.29.13
v2.29.14
v2.29.15
v2.29.16
v2.29.2
v2.29.3
v2.29.4
v2.29.5
v2.29.6
v2.29.7
v2.29.8
v2.29.9
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.32.0
v2.32.0-rc.0
v2.32.1
v2.32.2
v2.32.3
v2.32.4
v2.32.5
v2.32.6
v2.33.0
v2.33.0-rc.0
v2.33.1
v2.33.2
v2.33.3
v2.33.4
v2.33.5
v2.33.6
v2.33.7
v2.34.0
v2.34.1
v2.4.0
v2.5.0
v2.5.1
v2.6.0
v2.7.0
v2.7.1
v2.8.0
v2.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55075.json"