Coder CVE-2026-55077
HIGHSeverity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Network API abuse (AV:N/AC:L/UI:N) that requires the privileged user-admin role (PR:H); resulting owner takeover yields full C:H/I:H/A:H within one system (S:U).
Primary rating from Vendor (https://github.com/coder/coder).
CVSS VectorVendor: https://github.com/coder/coder
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Summary
The PUT /api/v2/users/{user}/password endpoint authorized only ActionUpdatePersonal and did not prevent a user-admin from resetting an owner account's password. It also did not require the current password when an admin reset another user's password.
> Note: Exploitation requires the privileged user-admin role so practical risk is limited to deployments that grant user-admin to less trusted operators.
Impact
A user-admin could reset any owner's password without knowing it, authenticate as that owner and gain full deployment control, including templates, workspaces, licensing, organization settings and the ability to self-assign the owner role. This was a privilege escalation from user-admin to owner.
Patches
The fix prevents non-owner users from resetting the password of an account that holds the owner role.
The fix was backported to all supported release lines:
Workarounds
Restrict the user-admin role to trusted administrators until upgrading.
Resources
- Fix: #25709
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22436) for independently disclosing this issue!
AnalysisAI
{user}/password, because the endpoint only checked ActionUpdatePersonal and never required the current password when an admin reset another user. A user-admin can therefore hijack an owner account and gain full deployment control, including self-assigning the owner role. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated principal already holding the privileged user-admin role, network access to the Coder API, and use of the PUT /api/v2/users/{user}/password endpoint targeting an account that holds the owner role; the admin reset path does not require knowledge of the target's current password. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, base 7.2) is internally consistent with the description: exploitation is network-reachable and low-complexity but explicitly requires the privileged user-admin role (PR:H), so this is authenticated abuse of an over-broad permission rather than a remote-unauthenticated break. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A partially trusted operator who has been delegated the user-admin role calls PUT /api/v2/users/{user}/password against an owner account, setting a new password without supplying the owner's current one. They then log in as that owner and self-assign the owner role, obtaining full control over templates, workspaces, licensing, and organization settings. … |
| Remediation | Vendor-released patches are available; upgrade to the fixed version for your release line - v2.34.2 (2.34), v2.33.8 (2.33), v2.32.7 (2.32), or v2.29.17 (2.29 ESR) - which prevents non-owner users from resetting the password of any account holding the owner role. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all user-admin role assignments and restrict to minimal necessary personnel; review password reset activity logs for suspicious activity on owner accounts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-29xf-69gq-m9jx