—
GO-2026-5196
Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Details
Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / github.com/coder/coder
Introduced in:
0 No fixed version published yet for github.com/coder/coder (go modules). Pin to a known-safe version or switch to an alternative.
Go / github.com/coder/coder/v2
Introduced in:
0 Fixed in: 2.24.5 Fix
go get github.com/coder/coder/v2@v2.24.5 References
- https://github.com/coder/coder/security/advisories/GHSA-6x44-w3xg-hqqf [ADVISORY]
- https://github.com/coder/coder/pull/25286 [FIX]
- https://github.com/coder/coder/releases/tag/v2.24.5 [WEB]
- https://github.com/coder/coder/releases/tag/v2.29.13 [WEB]
- https://github.com/coder/coder/releases/tag/v2.30.8 [WEB]
- https://github.com/coder/coder/releases/tag/v2.31.12 [WEB]
- https://github.com/coder/coder/releases/tag/v2.32.2 [WEB]
- https://github.com/coder/coder/releases/tag/v2.33.3 [WEB]