GHSA-29xf-69gq-m9jx: Coder: User-admin role can reset owner account password
Summary
A vulnerability in Coder allowed users with the `user-admin` role (a privileged account management permission) to reset the password of `owner` accounts (the highest-level administrators) without knowing the current password, potentially letting them take control of the entire deployment. This was a privilege escalation, where an attacker with lower-level admin access could gain full administrative control.
Solution / Mitigation
Update to patched versions: v2.34.2, v2.33.8, v2.32.7, or v2.29.17 (depending on your release line). The fix prevents non-owner users from resetting passwords of accounts with the `owner` role. As a temporary workaround before upgrading, restrict the `user-admin` role to trusted administrators only.
Vulnerability Details
EPSS: 0.0%
Yes
July 6, 2026
Classification
Affected Packages
Original source: https://github.com/advisories/GHSA-29xf-69gq-m9jx
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%