Password Reset Vulnerability in Coder's Remote Development Environment
CVE-2026-55077
What is CVE-2026-55077?
Coder's product experiences a vulnerability that allows user-admin roles to reset passwords for owner accounts through an unsecured API endpoint. This flaw permits admin users to reset another user's password without requiring the current password, compromising account integrity. The issue primarily affects cases where untrusted operators are granted the user-admin role. The vulnerability has been addressed in updates 2.29.7, 2.32.7, 2.33.8, and 2.34.2, which restrict the password reset functionality to account owners alone. Administrators are advised to limit the user-admin role access to trusted personnel to mitigate potential risks.
Affected Version(s)
coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2
coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8
coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7
