CVE-2026-46354
Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, azureidentity.Validate() verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. {"vmId":"<target>"} and the forged vmId will be accepted returning the victim workspace agent's session token.
No authentication is required. The attacker only needs to know a target VM's vmId which is a UUIDv4. That's a practical limitation which would typically require prior access to be exploited.
Versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 patch the issue. As a workaround, reconfigure any Azure templates to use token authentication rather than azure-instance-identity.
- SSVC automatable: yes - attacks can be scripted at scale
- CVSS base score ≥ 7.0
Exploitation momentum
2 days of EPSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N- 07 Jul 2026Published to NVD
- 08 Jul 2026Last modified
ATT&CK techniques
1Techniques this CVE enables. Pills with a solid outline are high confidence - named directly in ATT&CK or Nuclei, or human-curated by CTID; the rest are inferred from the weakness type using MITRE's CVE Mapping Methodology and the CWE → CAPEC chain. Broad, generic-weakness guesses are filtered out. A small N× marks a technique that N independent sources agree on.
▤ Build a SIEM detection for these techniquesCAPEC attack patterns
2Attack patterns this CVE enables - the bridge from weakness to ATT&CK technique.