high · 7.4CVE-2026-55075Jul 6, 2026

CVE-2026-55075: Coder OIDC Account Takeover via Email Fallback and email_verified Bypass

Pranav Khune
Penetration Testing Team Lead, SecureLayer7

Two flaws in Coder's OIDC login can be chained to let an attacker authenticate as a different user by matching their email address and bypassing the email verification check.

Packagegithub.com/coder/coder/v2
Ecosystemgo
Affected>= 2.34.0, < 2.34.2
Fixed in2.34.2

The problem

Coder's OIDC login handler fell back to matching users by email address even when the incoming IdP subject did not match any existing link. This meant an attacker who could register at the configured IdP with a victim's email could be linked to and logged in as that victim.

The second flaw compounded the first: the `email_verified` claim was only blocked when it was the boolean `false`. A missing claim, or a non-boolean value like the string `"true"` or an integer, was silently accepted as verified. An attacker using an IdP that omits the claim, or one they control, could exploit both gaps together for full account takeover including access to the victim's workspaces, templates, and resources.

Proof of concept

A working proof-of-concept for CVE-2026-55075 in github.com/coder/coder/v2, with the exact payload below.

json
{
  "iss": "https://attacker-controlled-idp.example.com",
  "sub": "attacker-new-subject-id",
  "aud": "coder-client-id",
  "email": "victim@corp.com",
  "preferred_username": "victim"
}

The root cause is two independent logic gaps in the OIDC user-linking code. PR #25712 fixed the email fallback path: before the patch, Coder would link an incoming OIDC identity to an existing account purely by email match, with no check for a conflicting pre-existing IdP subject link.

PR #25713 fixed the `email_verified` gate: the old code only rejected a claim when it was the boolean `false`, so a missing field or a non-boolean value (e.g. the string `"true"`, a number, or null) fell through as implicitly verified. Chained together, an attacker with a fresh IdP subject and the victim's email address, using a provider that does not emit `email_verified` (or one the attacker controls), could pass both checks and be authenticated as the victim.

CWE-287 (Improper Authentication) and CWE-289 (Authentication Bypass by Alternate Name) both apply. The payload above is derived directly from what the patch now blocks: a token with a novel `sub`, a matching `email`, and no `email_verified` field.

The fix

Upgrade to Coder v2.34.2 (or v2.33.8, v2.32.7, v2.29.17 on earlier supported release lines). The fix restricts the email-based fallback to first-time and legacy account linking only, and defaults `email_verified` to `false` whenever the claim is absent or not a strict boolean.

As a workaround on older versions, configure the OIDC provider to require email verification before issuing tokens, or disable self-registration.

Reported by Anthropic Security Team (ANT-2026-22450).

References: [1][2][3][4]

Related research