PT-2026-56067 · Coder · Coder

Published

2026-07-06

·

Updated

2026-07-07

·

CVE-2026-55077

CVSS v3.1

7.2

High

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.34.2 Coder versions prior to 2.33.8 Coder versions prior to 2.32.7 Coder versions prior to 2.29.17
Description An issue exists where the PUT /api/v2/users/{user}/password endpoint only authorized the ActionUpdatePersonal permission and failed to prevent a user with the user-admin role from resetting the password of an account with the owner role. Additionally, the system did not require the current password when an administrator reset another user's password. This allows a user-admin to reset an owner's password, authenticate as that owner, and gain full control over the deployment, including templates, workspaces, licensing, and organization settings, effectively escalating privileges from user-admin to owner.
Recommendations Update to version 2.34.2 or newer. Update to version 2.33.8 or newer. Update to version 2.32.7 or newer. Update to version 2.29.17 or newer. Restrict the user-admin role to trusted administrators.

Fix

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55077
GHSA-29XF-69GQ-M9JX
GO-2026-5906

Affected Products

Coder