Skip to main content

Coder CVE-2026-55077

HIGH
Improper Authorization (CWE-285)
2026-07-06 https://github.com/coder/coder GHSA-29xf-69gq-m9jx
7.2
CVSS 3.1 · Vendor: https://github.com/coder/coder
Share

Severity by source

Vendor (https://github.com/coder/coder) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Network API abuse (AV:N/AC:L/UI:N) that requires the privileged user-admin role (PR:H); resulting owner takeover yields full C:H/I:H/A:H within one system (S:U).

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/coder/coder).

CVSS VectorVendor: https://github.com/coder/coder

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 21:48 vuln.today

DescriptionCVE.org

Summary

The PUT /api/v2/users/{user}/password endpoint authorized only ActionUpdatePersonal and did not prevent a user-admin from resetting an owner account's password. It also did not require the current password when an admin reset another user's password.

> Note: Exploitation requires the privileged user-admin role so practical risk is limited to deployments that grant user-admin to less trusted operators.

Impact

A user-admin could reset any owner's password without knowing it, authenticate as that owner and gain full deployment control, including templates, workspaces, licensing, organization settings and the ability to self-assign the owner role. This was a privilege escalation from user-admin to owner.

Patches

The fix prevents non-owner users from resetting the password of an account that holds the owner role.

The fix was backported to all supported release lines:

Release linePatched version
2.34v2.34.2
2.33v2.33.8
2.32v2.32.7
2.29 (ESR)v2.29.17

Workarounds

Restrict the user-admin role to trusted administrators until upgrading.

Resources

  • Fix: #25709

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22436) for independently disclosing this issue!

AnalysisAI

{user}/password, because the endpoint only checked ActionUpdatePersonal and never required the current password when an admin reset another user. A user-admin can therefore hijack an owner account and gain full deployment control, including self-assigning the owner role. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as user-admin
Delivery
Call PUT password-reset on owner account
Exploit
Set new password without current one
Execution
Log in as owner
Persist
Self-assign owner role
Impact
Full deployment takeover

Vulnerability AssessmentAI

Exploitation Requires an authenticated principal already holding the privileged user-admin role, network access to the Coder API, and use of the PUT /api/v2/users/{user}/password endpoint targeting an account that holds the owner role; the admin reset path does not require knowledge of the target's current password. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, base 7.2) is internally consistent with the description: exploitation is network-reachable and low-complexity but explicitly requires the privileged user-admin role (PR:H), so this is authenticated abuse of an over-broad permission rather than a remote-unauthenticated break. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A partially trusted operator who has been delegated the user-admin role calls PUT /api/v2/users/{user}/password against an owner account, setting a new password without supplying the owner's current one. They then log in as that owner and self-assign the owner role, obtaining full control over templates, workspaces, licensing, and organization settings. …
Remediation Vendor-released patches are available; upgrade to the fixed version for your release line - v2.34.2 (2.34), v2.33.8 (2.33), v2.32.7 (2.32), or v2.29.17 (2.29 ESR) - which prevents non-owner users from resetting the password of any account holding the owner role. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all user-admin role assignments and restrict to minimal necessary personnel; review password reset activity logs for suspicious activity on owner accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55077 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy