GHSA-WQXV-W64V-5WH6
Vulnerability from github – Published: 2026-07-06 21:11 – Updated: 2026-07-07 22:17Summary
AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's unexpired token keeps working.
Note: Practical impact is limited to already-issued API keys of suspended users until those keys are deleted.
Impact
A suspended user with a previously issued long-lived token could continue calling AI Bridge LLM proxy endpoints, consuming paid provider resources billed to the deployment and, if injected MCP tools are enabled, invoking those tools. Access persists until the token expires, which may be months after suspension.
Patches
The fix makes AI Bridge authorization reject non-active users like the standard API key middleware. AI Bridge was introduced in v2.30.0. The v2.29 ESR line is not affected.
The fix is available in the following releases:
| Release line | Patched version |
|---|---|
| 2.34 | v2.34.2 |
| 2.33 | v2.33.8 |
| 2.32 | v2.32.7 |
Workarounds
On suspension, delete the user's API keys via DELETE /api/v2/users/{user}/keys.
Resources
- Fix: #26173
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22446) for independently disclosing this issue!
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.34.0"
},
{
"fixed": "2.34.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.33.0"
},
{
"fixed": "2.33.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.30.0"
},
{
"fixed": "2.32.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55435"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-06T21:11:20Z",
"nvd_published_at": "2026-07-07T19:16:54Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nAI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd/aibridgedserver`, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user\u0027s unexpired token keeps working.\n\n\u003e **Note:** Practical impact is limited to already-issued API keys of suspended users until those keys are deleted.\n\n### Impact\n\nA suspended user with a previously issued long-lived token could continue calling AI Bridge LLM proxy endpoints, consuming paid provider resources billed to the deployment and, if injected MCP tools are enabled, invoking those tools. Access persists until the token expires, which may be months after suspension.\n\n### Patches\n\nThe fix makes AI Bridge authorization reject non-active users like the standard API key middleware. AI Bridge was introduced in v2.30.0. The v2.29 ESR line is not affected.\n\nThe fix is available in the following releases:\n\n| Release line | Patched version |\n|---|---|\n| 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) |\n| 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) |\n| 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) |\n\n### Workarounds\n\nOn suspension, delete the user\u0027s API keys via `DELETE /api/v2/users/{user}/keys`.\n\n### Resources\n\n- Fix: #26173\n\n### Credits\n\nCoder would like to thank Anthropic\u0027s Security Team (ANT-2026-22446) for independently disclosing this issue!",
"id": "GHSA-wqxv-w64v-5wh6",
"modified": "2026-07-07T22:17:57Z",
"published": "2026-07-06T21:11:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coder/coder/security/advisories/GHSA-wqxv-w64v-5wh6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55435"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/pull/26164"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/pull/26173"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/commit/0d2c9f904a8b75b888140fcc8fbf4633660cc787"
},
{
"type": "PACKAGE",
"url": "https://github.com/coder/coder"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.32.7"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.33.8"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/releases/tag/v2.34.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Suspended Coder users retain access to AI Bridge LLM proxy endpoints"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.