All articles
Threat IntelligenceMay 2026·4 min read

Coder Signature Flaw Allows Agent Token Theft on Azure

A critical vulnerability in Coder's Azure identity validation allows unauthenticated attackers to forge instance identities and steal developer agent tokens.

Coder Signature Flaw Allows Agent Token Theft on Azure
Illustration generated by Helixar Research Labs. Not a depiction of a real system, attack, or affected product.

At a Glance

CVE-2026-46354

Identifier

Critical

Severity

Network

Attack Vector

Coder v2

Affected

A critical vulnerability in the Coder development platform allows an unauthenticated attacker to steal session tokens for workspace agents running on Microsoft Azure. Tracked as CVE-2026-46354, the flaw stems from a signature validation bypass in the Azure instance identity verification process. This can lead to a full compromise of a developer's workspace and associated credentials [1].

The Vulnerability: A Flaw in Cryptographic Trust

Coder workspaces on Azure use an instance identity feature to authenticate agents automatically. This process relies on PKCS#7, a standard for signed cryptographic data, to prove the agent is running on a legitimate, authorized virtual machine. The system was designed to verify that the agent's identity certificate was issued by a trusted Azure certificate authority.

The root cause of the vulnerability is a failure to fully validate the cryptographic signature. The `azureidentity.Validate()` function in affected Coder versions checked the certificate's chain of trust but did not verify the signature over the message content itself. An attacker could therefore pair a legitimate Azure certificate with forged content, and Coder would mistakenly accept it as authentic [3].

IMMEDIATE ACTION

Upgrade all Coder v2 instances or reconfigure Azure templates to use token authentication immediately.

Attack Path: From Forgery to Agent Hijacking

The attack requires no authentication. An attacker only needs to know the `vmId` of a target Coder workspace, which is a UUIDv4. While not easily guessable, this ID could be obtained through other information disclosure vulnerabilities or prior access to the environment.

With a target `vmId`, the attacker constructs a malicious PKCS#7 payload. This payload contains the victim's `vmId` but is paired with a legitimate Azure certificate, which can be obtained from public Certificate Transparency logs. The attacker then sends this forged object to an unauthenticated API endpoint, `POST /api/v2/workspaceagents/azure-instance-identity`.

The vulnerable Coder server receives the request. It checks the embedded certificate, sees that it chains to a trusted Azure CA, and incorrectly assumes the entire payload is valid. The server then issues a session token for the workspace agent associated with the forged `vmId` and sends it back to the attacker.

This stolen token grants the attacker the full permissions of the compromised Coder agent. They can access sensitive resources by making authenticated API calls, including retrieving the workspace's Git SSH private key and plaintext OAuth tokens for services like GitHub, GitLab, and Bitbucket.

Securing the Agentic Workforce

This incident highlights a growing threat category for organizations using agentic tools. Coder agents are designed to act autonomously on behalf of developers, managing environments and executing tasks. When the identity of such an agent is compromised, the trusted automation tool becomes a powerful weapon for an attacker.

An attacker with a stolen agent token can operate with stealth. Their actions, such as pushing malicious code or exfiltrating secrets, appear as legitimate operations from an authenticated agent. This bypasses traditional security monitoring focused on human user authentication and behavior. Securing the identity and communication channels of software agents is paramount in modern development environments.

Patches and Mitigation

The vendor, Coder, has responded to the disclosure by releasing patches. The most direct mitigation is to upgrade to a fixed version. The patches address disclosures from Ben Tran of calif.io and Anthropic’s Security Team.

Coder has backported the fix to all supported release lines. Users on the 2.33.x series should upgrade to version 2.33.3 or newer to receive the patch [9].

For the 2.32.x line, the vulnerability is addressed in version 2.32.2 and subsequent releases [8].

Organizations running the 2.31.x series are advised to update to version 2.31.12 to protect their environments [7].

The patch was also made available for the 2.30.x series through the release of version 2.30.8 [6].

Continuing the extensive backporting effort, Coder also patched the 2.29.x line with version 2.29.13 [5].

Even much older release lines, such as 2.24.x, received a patch in version 2.24.5, ensuring broad protection across the user base [4].

If an immediate upgrade is not possible, a workaround is available. Administrators can disable the vulnerable `azure-instance-identity` authentication method. This involves modifying Coder templates to use token-based authentication, a more explicit method in this context [2].

References

  1. GitHub Security Advisory (GHSA-6x44-w3xg-hqqf). https://github.com/advisories/GHSA-6x44-w3xg-hqqf (accessed 2026-05-20).
  2. Vendor security advisory (github.com). https://github.com/coder/coder/security/advisories/GHSA-6x44-w3xg-hqqf (accessed 2026-05-20).
  3. Patch commit / PR (github.com). https://github.com/coder/coder/pull/25286 (accessed 2026-05-20).
  4. github.com. https://github.com/coder/coder/releases/tag/v2.24.5 (accessed 2026-05-20).
  5. github.com. https://github.com/coder/coder/releases/tag/v2.29.13 (accessed 2026-05-20).
  6. github.com. https://github.com/coder/coder/releases/tag/v2.30.8 (accessed 2026-05-20).
  7. github.com. https://github.com/coder/coder/releases/tag/v2.31.12 (accessed 2026-05-20).
  8. github.com. https://github.com/coder/coder/releases/tag/v2.32.2 (accessed 2026-05-20).
  9. github.com. https://github.com/coder/coder/releases/tag/v2.33.3 (accessed 2026-05-20).

About Helixar Research Labs

Helixar is an AI-native software R&D lab focused on agentic governance, compliance, and security for enterprises and enterprise agents.

Helixar Research Labs publishes briefings on the agentic and AI threat surface, including autonomous agents, LLM tooling, MCP servers, model supply chains, and prompt injection. The goal is to surface the gap between traditional defenses and agentic attacks before it shows up in your incidents.

If you run agents in production, this is for you. Learn more at helixar.ai.

Back to Press