GHSA-29xf-69gq-m9jx
Coder: User-admin role can reset owner account password
Details
### Summary
The `PUT /api/v2/users/{user}/password` endpoint authorized only `ActionUpdatePersonal` and did not prevent a `user-admin` from resetting an `owner` account's password. It also did not require the current password when an admin reset another user's password.
> **Note:** Exploitation requires the privileged `user-admin` role so practical risk is limited to deployments that grant `user-admin` to less trusted operators.
### Impact
A `user-admin` could reset any owner's password without knowing it, authenticate as that owner and gain full deployment control, including templates, workspaces, licensing, organization settings and the ability to self-assign the `owner` role. This was a privilege escalation from `user-admin` to `owner`.
### Patches
The fix prevents non-owner users from resetting the password of an account that holds the `owner` role.
The fix was backported to all supported release lines:
| Release line | Patched version | |---|---| | 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) | | 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) | | 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) | | 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) |
### Workarounds
Restrict the `user-admin` role to trusted administrators until upgrading.
### Resources - Fix: #25709
### Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22436) for independently disclosing this issue!
Are you affected?
Enter the version of the package you're using.
Affected packages
2.34.0 Fixed in: 2.34.2 go get github.com/coder/coder/v2@v2.34.2 2.33.0 Fixed in: 2.33.8 go get github.com/coder/coder/v2@v2.33.8 2.30.0 Fixed in: 2.32.7 go get github.com/coder/coder/v2@v2.32.7 0 Fixed in: 2.29.17 go get github.com/coder/coder/v2@v2.29.17