Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft

## Summary `azureidentity.Validate()` verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. `{"vmId":"<target>"}` and the forged `vmId` will be accepted returning the victim workspace agent's session token. **No authentication is required.** The attacker only needs to know a target VM's `vmId` which is a `UUIDv4`. > that's a practical limitation which would typically require prior access to be exploited ## Root Cause In unpatched Coder releases the signature over the PKCS#7 content is not validated - only the signing certificate is checked. ## Impact An attacker on any Azure VM or with access to a publicly available Azure IMDS certificate from CT logs can: 1. **Steal an agent session token** by sending a forged PKCS#7 envelope to `POST /api/v2/workspaceagents/azure-instance-identity` which is unauthenticated. 2. **With the stolen token** access: - **Git SSH private key** via `GET /workspaceagents/me/gitsshkey`: push to repositories and impersonate the workspace owner. - **OAuth access tokens** via `GET /workspaceagents/me/external-auth`: GitHub, GitLab, and Bitbucket tokens in plaintext. - **Workspace secrets** via the agent manifest: environment variables, file paths, and API keys. ## Attack Path Diagram <img width="5588" height="4176" alt="PKCS7_diagram (1)" src="https://github.com/user-attachments/assets/74e88a89-a995-450d-87ab-6feed03579a5" /> ## Affected Versions All versions of Coder v2 are affected. ## Patches Fixed in [#25286 ](https://github.com/coder/coder/pull/25286) The fix was backported to all supported release lines: | Patched Versions | | --- | | [**v2.33.3**](https://github.com/coder/coder/releases/tag/v2.33.3) | | [**v2.32.2**](https://github.com/coder/coder/releases/tag/v2.32.2) | | [**v2.31.12**](https://github.com/coder/coder/releases/tag/v2.31.12) | | [**v2.30.8**](https://github.com/coder/coder/releases/tag/v2.30.8) | | [**v2.29.13**](https://github.com/coder/coder/releases/tag/v2.29.13) | | [**v2.24.5**](https://github.com/coder/coder/releases/tag/v2.24.5) | ## Workarounds If unable to patch we recommend immediately reconfiguring any Azure templates to use token authentication rather than `azure-instance-identity` until the patch is released and you are fully upgraded. 1. Modify the [`coder_agent.auth`](https://registry.terraform.io/providers/coder/coder/latest/docs/resources/agent#auth-1) value to be `token`. 2. Add `CODER_AGENT_TOKEN=${coder_agent.main.token}` to the set of environment variables for the Coder Workspace Agent initialization script. ## Recognition We'd like to thank [Ben Tran](https://github.com/bencalif) of [calif.io](http://calif.io) and Anthropic’s Security Team (`ANT-2026-22445`) for independently disclosing this issue!