A critical vulnerability has been identified in the Coolify server management tool, allowing low-privileged users to gain complete administrative control. An authenticated attacker with minimal access can view the root user's private SSH key, enabling them to log into the underlying server as the root user and execute arbitrary commands. This represents a total compromise of the server's confidentiality, integrity, and availability.

The vulnerability is an improper access control and information disclosure flaw within the Coolify platform. Authenticated users with low-level privileges are able to access and view the private SSH key belonging to the root user of the host server. An attacker can exploit this by logging into the Coolify web interface with a low-privileged account, retrieving the exposed private key, and then using a standard SSH client to establish a remote session on the server as the root user, thereby bypassing all intended security mechanisms.

This vulnerability is rated as critical severity with a CVSS score of 9.9, posing a severe and immediate risk to the organization. Successful exploitation results in a complete system compromise, granting the attacker full administrative control over the server managed by Coolify. This could lead to catastrophic consequences, including theft or destruction of sensitive data, deployment of ransomware, disruption of critical business services, and the use of the compromised server as a pivot point to attack other internal network resources.

Immediate Action: Organizations must immediately investigate their Coolify instances to identify the running version. If a version later than v4.0.0-beta.434 is available, update immediately. If a patch is not yet available, treat this as a zero-day vulnerability and proceed with compensating controls while actively monitoring vendor announcements for a security patch.

Proactive Monitoring: System administrators should immediately begin monitoring for signs of compromise. This includes reviewing SSH authentication logs (/var/log/auth.log or equivalent) for any unusual or successful root logins, particularly from unexpected source IP addresses. Scrutinize Coolify application logs for any unauthorized user activity or access to system configuration sections. Monitor the server for unexpected running processes, new user accounts, or outbound network connections.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Restrict access to the Coolify web interface to only trusted administrative personnel.
• Temporarily disable or suspend all non-essential, low-privileged user accounts on the Coolify platform.
• Implement strict firewall rules to limit SSH access (port 22) to the server from only known, trusted IP addresses.
• If possible, rotate the root user's SSH key on the server immediately to invalidate the potentially exposed key.

Public Exploit Available: false

This vulnerability represents a critical and direct path to full system compromise and must be addressed with the highest priority. Due to the CVSS score of 9.9, we recommend immediate action. Organizations must prioritize applying the vendor-supplied patch as soon as it becomes available. In the absence of a patch, the compensating controls listed above, particularly the restriction of low-privileged user access and SSH firewall rules, should be implemented without delay to reduce the attack surface. Although this CVE is not currently on the CISA KEV list, the severity warrants treating it as if it were.