CVE-2026-34044

CoolLabs · Coolify

Coolify is affected by an authorization bypass vulnerability, allowing authenticated users to access resources they are not permitted to view via user-controlled keys.

Executive summary

An authorization bypass vulnerability in Coolify allows authenticated users to access sensitive data outside their scope, posing a significant risk to internal data confidentiality.

Vulnerability

This flaw involves an Authorization Bypass Through User-Controlled Key (CWE-639). An authenticated user can manipulate identifiers to access resources or data belonging to other users or system areas they are not authorized to interact with.

Business impact

The CVSS score of 7.7 reflects a high risk of unauthorized information disclosure. By bypassing authorization controls, an attacker can access sensitive environment configurations, database credentials, or other critical data, leading to severe reputational and security consequences for the organization.

Remediation

Immediate Action: Upgrade to Coolify version 4.0.0-beta.466 or later to enforce proper authorization checks.

Proactive Monitoring: Analyze application access logs for patterns of unusual resource requests, particularly those involving sequential IDs or out-of-bounds object access.

Compensating Controls: Use a Web Application Firewall (WAF) to filter and inspect requests for suspicious parameter manipulation if an immediate update is not feasible.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Authorization bypass flaws undermine the fundamental security model of any multi-user application. Administrators must apply the vendor-provided security update to version 4.0.0-beta.466 to ensure that resource access control policies are correctly enforced and data privacy is restored.