Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery (SSRF) via the Azure instance identity endpoint (POST /api/v2/workspaceagents/azure-instance-identity). An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submitting a crafted PKCS#7 signature. The server does not return the target's response body, but error messages in the API response reveal whether the target is reachable and what type of failure occurred. Versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 patch the issue. As a workaround, if the Azure identity-auth mechanism is not being used then restrict access to the corresponding endpoint (/api/v2/workspaceagents/azure-instance-identity) using ingress firewall and/or proxy ACLs.
CVE-2026-45796
This medium-severity CVE scores 6.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.1%, top 78% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- Lower severity and no public exploit yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 6.5
- EG Score
- 6.5(low)
- EPSS
- 25.6%
- KEV
- Not listed
Published
May 19, 2026
Last Modified
July 8, 2026
Advisory Details (9)
Auto-updated Jul 7, 2026Unauthenticated semi-blind SSRF via Azure Instance Identity Endpoint · Advisory · coder/coder · GitHub
https://github.com/coder/coder/security/advisories/GHSA-686c-7vgv-v3fxv2.33.3
Patch available: coder/coder v2.33.3
https://github.com/coder/coder/releases/tag/v2.33.3v2.32.2
Patch available: coder/coder v2.32.2
https://github.com/coder/coder/releases/tag/v2.32.2v2.31.12
Patch available: coder/coder v2.31.12
https://github.com/coder/coder/releases/tag/v2.31.12v2.30.8
Patch available: coder/coder v2.30.8
https://github.com/coder/coder/releases/tag/v2.30.8v2.29.13
Patch available: coder/coder v2.29.13
https://github.com/coder/coder/releases/tag/v2.29.13v2.24.5
Patch available: coder/coder v2.24.5
https://github.com/coder/coder/releases/tag/v2.24.5fix(coderd): harden Azure identity certificate fetch
Fix merged in coder/coder PR #25274 on 2026-05-13 — awaiting tagged release
https://github.com/coder/coder/pull/25274commit 57b11d405f17 (coder/coder)
Fix landed in coder/coder commit 57b11d405f17 — awaiting tagged release
https://github.com/coder/coder/commit/57b11d405f17492aa789d4b9ff33366f961a37f8Vendor Advisories for CVE-2026-45796(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Affected Packages
(2 across 1 ecosystem)
Go(2)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| github.com/coder/coder | — | — | — |
| github.com/coder/coder/v2 | — | 2.24.5 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 6× in last 7d / 15× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-13 22:30 UTCEPSS rescore
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-06-29 20:41 UTCEG score recompute
- 2026-06-27 20:23 UTCEG score recompute
- 2026-06-26 19:43 UTCEG score recompute
- 2026-06-25 16:29 UTCEG score recompute
- 2026-06-17 20:05 UTCEG score recompute
- 2026-06-16 20:43 UTCEG score recompute
- 2026-06-15 15:58 UTCEG score recompute
- 2026-06-14 23:18 UTCEPSS rescore
- 2026-06-14 14:12 UTCEG score recompute
- 2026-06-13 23:00 UTCEPSS rescore
- 2026-06-13 14:58 UTCEG score recompute
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 15:58 UTCEG score recompute
- 2026-06-11 16:46 UTCEG score recompute
- 2026-06-10 17:26 UTCEG score recompute
- 2026-06-09 18:29 UTCEG score recompute
- 2026-06-08 19:31 UTCEG score recompute
- 2026-06-07 19:59 UTCEG score recompute
- 2026-06-06 21:01 UTCEG score recompute
Show 7 moreShow fewer
- 2026-06-05 22:03 UTCEG score recompute
- 2026-06-04 23:05 UTCEG score recompute
- 2026-06-04 00:07 UTCEG score recompute
- 2026-06-03 01:09 UTCEG score recompute
- 2026-06-02 02:06 UTCEG score recompute
- 2026-06-01 03:06 UTCEG score recompute
- 2026-05-24 06:13 UTCEG score recompute
Related CVEs(same CWE)
Same CWE
10 shownCWE-918
Frequently asked(5)
What is CVE-2026-45796?
When was CVE-2026-45796 disclosed?
Is CVE-2026-45796 actively exploited?
What is the CVSS score of CVE-2026-45796?
How do I remediate CVE-2026-45796?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-45796
Is Your Infrastructure Affected by CVE-2026-45796?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.