GHSA-9r87-mvcw-x35f
HIGHCoder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/coder/coder/v2🐹github.com/coder/coder/v2🐹github.com/coder/coder/v2🐹github.com/coder/coder/v2Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Summary
Two flaws in Coder's OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the email_verified claim was only enforced when present as a boolean false so an absent or non-boolean claim was treated as verified.
Impact
An attacker who could authenticate at the configured OIDC provider with an email matching a victim's Coder account could log in as that victim and gain full access to their workspaces, templates and resources. This required OIDC authentication, attacker control of a matching email at the IdP and a victim account not yet linked to a different IdP subject.
Patches
The fix restricts the email fallback to first-time and legacy linking and defaults email_verified to false when the claim is absent or of an unexpected type.
The fix was backported to all supported release lines:
Workarounds
Configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.
Resources
- Fix: #25712, #25713
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22450) for independently disclosing this issue!
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/coder/coder/v2 | ≥ 2.34.0&&< 2.34.2 | 2.34.2 |
| 🐹Go | github.com/coder/coder/v2 | ≥ 2.33.0&&< 2.33.8 | 2.33.8 |
| 🐹Go | github.com/coder/coder/v2 | ≥ 2.30.0&&< 2.32.7 | 2.32.7 |
| 🐹Go | github.com/coder/coder/v2 | all versions | 2.29.17 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/coder/coder/v2. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/coder/coder/v2 to 2.34.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-9r87-mvcw-x35f is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-9r87-mvcw-x35f is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-9r87-mvcw-x35f. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-9r87-mvcw-x35f in your dependencies?
O3 detects GHSA-9r87-mvcw-x35f across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.