Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-29xf-69gq-m9jx

HIGH

Coder: User-admin role can reset owner account password

Also known asCVE-2026-55077GO-2026-5906
Published
Jul 6, 2026
Updated
Jul 7, 2026
Affected
4 pkgs
Patched
4 / 4
Exploits
None indexed

Blast Radius

4 pkgs affected
🐹github.com/coder/coder/v2🐹github.com/coder/coder/v2🐹github.com/coder/coder/v2🐹github.com/coder/coder/v2

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

The PUT /api/v2/users/{user}/password endpoint authorized only ActionUpdatePersonal and did not prevent a user-admin from resetting an owner account's password. It also did not require the current password when an admin reset another user's password.

Note: Exploitation requires the privileged user-admin role so practical risk is limited to deployments that grant user-admin to less trusted operators.

Impact

A user-admin could reset any owner's password without knowing it, authenticate as that owner and gain full deployment control, including templates, workspaces, licensing, organization settings and the ability to self-assign the owner role. This was a privilege escalation from user-admin to owner.

Patches

The fix prevents non-owner users from resetting the password of an account that holds the owner role.

The fix was backported to all supported release lines:

Release linePatched version
2.34v2.34.2
2.33v2.33.8
2.32v2.32.7
2.29 (ESR)v2.29.17

Workarounds

Restrict the user-admin role to trusted administrators until upgrading.

Resources

  • Fix: #25709

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22436) for independently disclosing this issue!

Affected Packages

4 total 4 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/coder/coder/v22.34.0&&< 2.34.22.34.2
🐹Gogithub.com/coder/coder/v22.33.0&&< 2.33.82.33.8
🐹Gogithub.com/coder/coder/v22.30.0&&< 2.32.72.32.7
🐹Gogithub.com/coder/coder/v2all versions2.29.17

Detection & mitigation playbook

Open-source dependency
  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/coder/coder/v2. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update github.com/coder/coder/v2 to 2.34.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-29xf-69gq-m9jx is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-29xf-69gq-m9jx is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-29xf-69gq-m9jx. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary The `PUT /api/v2/users/{user}/password` endpoint authorized only `ActionUpdatePersonal` and did not prevent a `user-admin` from resetting an `owner` account's password. It also did not require the current password when an admin reset another user's password. > **Note:** Exploitation requires the privileged `user-admin` role so practical risk is limited to deployments that grant `user-admin` to less trusted operators. ### Impact A `user-admin` could reset any owner's password without knowing it, authenticate as that owner and gain full deployment control, including templates, wo
O3 Security · Impact-Aware SCA

Is GHSA-29xf-69gq-m9jx in your dependencies?

O3 detects GHSA-29xf-69gq-m9jx across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.