Password Reset Vulnerability in Coder's Remote Development Environment
CVE-2026-55077

7.2HIGH

Key Information:

Vendor

Coder

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-55077?

Coder's product experiences a vulnerability that allows user-admin roles to reset passwords for owner accounts through an unsecured API endpoint. This flaw permits admin users to reset another user's password without requiring the current password, compromising account integrity. The issue primarily affects cases where untrusted operators are granted the user-admin role. The vulnerability has been addressed in updates 2.29.7, 2.32.7, 2.33.8, and 2.34.2, which restrict the password reset functionality to account owners alone. Administrators are advised to limit the user-admin role access to trusted personnel to mitigate potential risks.

Affected Version(s)

coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2

coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8

coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.