Context
Change Type: Announcement
Product area: Platform services
Component: REST API
Deployed at: eu.latest.cumulocity.com, apj.cumulocity.com, jp.cumulocity.com, cumulocity.com, us.cumulocity.com
Technical details
Build artifact: cumulocity (2026.168.0)
Internal ID: MTM-66931
Description
To improve platform security, the ability to update passwords through general user endpoints is being deprecated. Password changes will soon require verification of the current password to prevent unauthorized account takeovers.
Affected endpoints
The password field is deprecated in the following endpoints:
- PUT /user/currentUser - Cumulocity - OpenAPI
- PUT /tenant/users/{userId} - Cumulocity - OpenAPI
New requirement
All password updates must use the dedicated endpoint for updating the current user’s password:
- PUT /user/currentUser/password - Cumulocity - OpenAPI
This endpoint requires the currentPassword field for validation.
Timeline
Starting in Q4 2026 for the SaaS instances and in 2027 for the yearly releases, the password field in general user endpoints will be ignored.
Important
Update all client applications and scripts to use the dedicated password endpoint. This transition is mandatory to ensure enhanced security and prevent unauthorized password modifications.