CVE-2026-55435

Source
https://cve.org/CVERecord?id=CVE-2026-55435
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55435.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55435
Aliases
Published
2026-07-07T17:37:31.211Z
Modified
2026-07-11T03:53:57.799985457Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Suspended Coder users retain access to AI Bridge LLM proxy endpoints
Details

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's unexpired token keeps working. Practical impact is limited to already-issued API keys of suspended users until those keys are deleted. Versions 2.32.7, 2.33.8, and 2.34.2 patch the issue. As a workaround, on suspension, delete the user's API keys via DELETE /api/v2/users/{user}/keys.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55435.json",
    "cwe_ids": [
        "CWE-863"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/coder/coder

Affected ranges

Type
GIT
Repo
https://github.com/coder/coder
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:coder:coder:*:*:*:*:*:go:*:*",
    "extracted_events": [
        {
            "introduced": "2.30.0"
        },
        {
            "fixed": "2.32.7"
        },
        {
            "introduced": "2.33.0"
        },
        {
            "fixed": "2.33.8"
        },
        {
            "introduced": "2.34.0"
        },
        {
            "fixed": "2.34.2"
        }
    ]
}

Affected versions

v2.*
v2.33.0
v2.33.1
v2.33.2
v2.33.3
v2.33.4
v2.33.5
v2.33.6
v2.33.7
v2.34.0
v2.34.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55435.json"