CVE-2026-55435
MEDIUM(5.4)CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- CVSS 5.4 — Mittel
- Weniger als 24 Stunden alt
Beschreibung
Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd/aibridgedserver`, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's unexpired token keeps working. Practical impact is limited to already-issued API keys of suspended users until those keys are deleted. Versions 2.32.7, 2.33.8, and 2.34.2 patch the issue. As a workaround, on suspension, delete the user's API keys via `DELETE /api/v2/users/{user}/keys`.
GitHub Advisories
Suspended Coder users retain access to AI Bridge LLM proxy endpoints
Referenzen
- https://github.com/coder/coder/commit/0d2c9f904a8b75b888140fcc8fbf4633660cc787
- https://github.com/coder/coder/pull/26164
- https://github.com/coder/coder/pull/26173
- https://github.com/coder/coder/releases/tag/v2.32.7
- https://github.com/coder/coder/releases/tag/v2.33.8
- https://github.com/coder/coder/releases/tag/v2.34.2
- https://github.com/coder/coder/security/advisories/GHSA-wqxv-w64v-5wh6