Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the email_verified claim was only enforced when present as a boolean false so an absent or non-boolean claim was treated as verified. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 restricts the email fallback to first-time and legacy linking and defaults email_verified to false when the claim is absent or of an unexpected type. As a workaround, configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55075.json",
"cwe_ids": [
"CWE-287",
"CWE-289"
],
"cna_assigner": "GitHub_M"
}{
"extracted_events": [
{
"introduced": "2.34.0"
},
{
"fixed": "2.34.2"
},
{
"introduced": "2.33.0"
},
{
"fixed": "2.33.8"
},
{
"introduced": "2.30.0"
},
{
"fixed": "2.32.7"
},
{
"introduced": "0"
},
{
"fixed": "2.29.17"
}
],
"source": [
"AFFECTED_FIELD",
"REFERENCES"
]
}