PT-2026-56067 · Coder · Coder
Published
2026-07-06
·
Updated
2026-07-07
·
CVE-2026-55077
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Coder versions prior to 2.34.2
Coder versions prior to 2.33.8
Coder versions prior to 2.32.7
Coder versions prior to 2.29.17
Description
An issue exists where the
PUT /api/v2/users/{user}/password endpoint only authorized the ActionUpdatePersonal permission and failed to prevent a user with the user-admin role from resetting the password of an account with the owner role. Additionally, the system did not require the current password when an administrator reset another user's password. This allows a user-admin to reset an owner's password, authenticate as that owner, and gain full control over the deployment, including templates, workspaces, licensing, and organization settings, effectively escalating privileges from user-admin to owner.Recommendations
Update to version 2.34.2 or newer.
Update to version 2.33.8 or newer.
Update to version 2.32.7 or newer.
Update to version 2.29.17 or newer.
Restrict the
user-admin role to trusted administrators.Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Coder