CVE-2026-34044
CoolLabs · Coolify
Coolify is affected by an authorization bypass vulnerability, allowing authenticated users to access resources they are not permitted to view via user-controlled keys.
Executive summary
An authorization bypass vulnerability in Coolify allows authenticated users to access sensitive data outside their scope, posing a significant risk to internal data confidentiality.
Vulnerability
This flaw involves an Authorization Bypass Through User-Controlled Key (CWE-639). An authenticated user can manipulate identifiers to access resources or data belonging to other users or system areas they are not authorized to interact with.
Business impact
The CVSS score of 7.7 reflects a high risk of unauthorized information disclosure. By bypassing authorization controls, an attacker can access sensitive environment configurations, database credentials, or other critical data, leading to severe reputational and security consequences for the organization.
Remediation
Immediate Action: Upgrade to Coolify version 4.0.0-beta.466 or later to enforce proper authorization checks.
Proactive Monitoring: Analyze application access logs for patterns of unusual resource requests, particularly those involving sequential IDs or out-of-bounds object access.
Compensating Controls: Use a Web Application Firewall (WAF) to filter and inspect requests for suspicious parameter manipulation if an immediate update is not feasible.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Authorization bypass flaws undermine the fundamental security model of any multi-user application. Administrators must apply the vendor-provided security update to version 4.0.0-beta.466 to ensure that resource access control policies are correctly enforced and data privacy is restored.