CVE-2026-55077

Severity CVSS v4.0:
Pending analysis
Type:
CWE-285 Improper Authorization
Publication date:
07/07/2026
Last modified:
09/07/2026

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `PUT /api/v2/users/{user}/password` endpoint authorized only `ActionUpdatePersonal` and did not prevent a `user-admin` from resetting an `owner` account's password. It also did not require the current password when an admin reset another user's password. Exploitation requires the privileged `user-admin` role so practical risk is limited to deployments that grant `user-admin` to less trusted operators. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 prevents non-owner users from resetting the password of an account that holds the `owner` role. As a workaround, restrict the `user-admin` role to trusted administrators.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:coder:coder:*:*:*:*:*:go:*:* 2.29.17 (excluding)
cpe:2.3:a:coder:coder:*:*:*:*:*:go:*:* 2.30.0 (including) 2.32.7 (excluding)
cpe:2.3:a:coder:coder:*:*:*:*:*:go:*:* 2.33.0 (including) 2.33.8 (excluding)
cpe:2.3:a:coder:coder:*:*:*:*:*:go:*:* 2.34.0 (including) 2.34.2 (excluding)