mediumCVE-2026-45796

CVE-2026-45796 Coder vulnerability

Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery (SSRF) via the Azure instance identity endpoint (`POST /api/v2/workspaceagents/azure-instance-identity`). An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submitting a crafted PKCS#7 signature. The server does not return the target's response body, but error messages in the API response reveal whether the target is reachable and what type of failure occurred. Versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 patch the issue. As a workaround, if the Azure identity-auth mechanism is not being used then restrict access to the corresponding endpoint (`/api/v2/workspaceagents/azure-instance-identity`) using ingress firewall and/or proxy ACLs.

ProductCoder
CVSS6.5
EPSS0.00335
UpdatedJuly 12, 2026

Quick answer

Coder should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • <2.24.5
  • <2.29.13
  • <2.30.8
  • <2.31.12
  • <2.32.2
  • <2.33.3

Fixed versions

  • 2.24.5
  • 2.29.13
  • 2.30.8
  • 2.31.12
  • 2.32.2
  • 2.33.3

How to fix it

CVE-2026-45796 affects Coder remote development deployments where the unauthenticated Azure instance identity endpoint can be abused for semi-blind SSRF through attacker-controlled certificate URLs. Prioritize internet-facing, shared, or multi-tenant Coder environments because compromise can affect developer workspaces, identity flows, tokens, or control-plane availability depending on the issue. Upgrade to Coder 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, or a later supported release on the relevant branch, because those are the vendor-supported patched versions. If Azure identity authentication is not required, restrict /api/v2/workspaceagents/azure-instance-identity with ingress firewall or reverse-proxy ACLs until patched.

  1. Inventory all Coder servers, workspace proxies, provisioner daemons, AI Bridge components, templates, and CLI installations across production, staging, and developer environments.
  2. Identify affected Coder versions and compare every deployment with the fixed releases for CVE-2026-45796: 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3.
  3. Upgrade Coder servers and related components to the patched release for the installed branch, then roll updated CLI or automation binaries where they are part of the affected workflow.
  4. If Azure identity authentication is not required, restrict /api/v2/workspaceagents/azure-instance-identity with ingress firewall or reverse-proxy ACLs until patched.
  5. Review Coder role bindings, OIDC settings, API keys, template parameters, provisioner access, workspace app exposure, and reverse proxy rules for unnecessary trust or public reachability.
  6. Review Coder audit logs, reverse proxy logs, provisioner logs, and workspace events for suspicious requests matching the affected endpoint or workflow.
  7. If exploitation or credential exposure is suspected, revoke affected sessions, rotate API keys and workspace tokens, preserve audit evidence, and rebuild workspaces or hosts whose integrity cannot be trusted.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm every affected Coder component reports a patched version for CVE-2026-45796: 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, or a later supported release.
  • Confirm certificate URL fetching is constrained and the Azure identity endpoint cannot reach loopback, link-local, private, or arbitrary hosts.
  • Confirm temporary restrictions, role changes, OIDC settings, proxy ACLs, and API-key revocations match the intended least-privilege policy.
  • Review logs after patching to confirm exploit attempts are blocked or fail safely without exposing credentials, internal network details, or control-plane availability.
  • Document patched versions, configuration changes, remaining exceptions, and evidence, then rerun Fixnx or the relevant vulnerability scan where applicable.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-45796?

Coder versions listed as affected should be reviewed: <2.24.5, <2.29.13, <2.30.8, <2.31.12, <2.32.2, <2.33.3.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.