In back end I have a logic that authenticated users reset their password. I take the old password and a new one as parameters. If the old password doesn't match, then they will get an error, but I couldn't find a suitable status code for this.
Authentication middleware sends 401 Unauthorized when it fails, so I can't use 401 because of conflict. And I guess, even if it wasn't used, 401 wouldn't be the best suitable status in this case
the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).
Keep in mind that status-codes are metadata, like the headers: they are data in standardized forms to allow general purpose components to understand the semantics of the requests/responses, without requiring that those components understand the details of the message-body.