CVE-2026-55077
Received Received - Intake

Privilege Escalation in Coder Remote Development Environments

Vulnerability report for CVE-2026-55077, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `PUT /api/v2/users/{user}/password` endpoint authorized only `ActionUpdatePersonal` and did not prevent a `user-admin` from resetting an `owner` account's password. It also did not require the current password when an admin reset another user's password. Exploitation requires the privileged `user-admin` role so practical risk is limited to deployments that grant `user-admin` to less trusted operators. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 prevents non-owner users from resetting the password of an account that holds the `owner` role. As a workaround, restrict the `user-admin` role to trusted administrators.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coder coder to 2.34.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Coder's remote development environment provisioning via Terraform. Before certain fixed versions, the API endpoint for changing user passwords allowed a user with the privileged 'user-admin' role to reset the password of an 'owner' account without requiring the current password. This means that a user-admin could change the owner account's password without proper authorization checks.

The issue arises because the endpoint only authorized 'ActionUpdatePersonal' and did not prevent user-admins from resetting owner passwords. The vulnerability requires the attacker to have the user-admin role, so the risk is limited to deployments where this role is granted to less trusted operators.

The fix implemented in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 prevents non-owner users from resetting the password of an owner account. As a workaround, it is recommended to restrict the user-admin role to trusted administrators.

Impact Analysis

If exploited, this vulnerability allows a user with the user-admin role to reset the password of an owner account without knowing the current password. This could lead to unauthorized access to the owner account, potentially compromising the entire system or environment managed by Coder.

Since the owner account typically has the highest level of privileges, an attacker could gain full control, leading to confidentiality, integrity, and availability impacts as indicated by the CVSS score (7.2) with high impact on confidentiality, integrity, and availability.

The practical risk depends on how the user-admin role is assigned; if it is granted to less trusted operators, the risk is higher.

Mitigation Strategies

To mitigate this vulnerability, restrict the 'user-admin' role to trusted administrators only.

Additionally, upgrade Coder to one of the fixed versions: 2.29.7, 2.32.7, 2.33.8, or 2.34.2, which prevent non-owner users from resetting the password of an account holding the 'owner' role.

Compliance Impact

This vulnerability allows a user with the privileged user-admin role to reset the password of an owner account without requiring the current password. This could lead to unauthorized access to sensitive data or administrative functions.

Such unauthorized access risks violating compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict controls over access to sensitive personal and health information.

However, the practical risk is limited to deployments that grant the user-admin role to less trusted operators, and the issue is mitigated by restricting this role to trusted administrators or by applying the fixed versions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55077. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart