This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Coolify < 4.0.0-beta.361 has a critical **Authorization Bypass**. π **Consequences**: Attackers can escalate privileges to **Owner** level, gaining full control over the platform and all hosted resources.β¦
π‘οΈ **CWE**: **CWE-862** (Missing Authorization). π **Flaw**: The application fails to verify if a user has the right permissions before executing actions.β¦
π¦ **Vendor**: coollabsio. π¦ **Product**: Coolify. π **Affected Versions**: All versions **before 4.0.0-beta.361**. β **Fixed In**: Version 4.0.0-beta.361 and later.
Q4What can hackers do? (Privileges/Data)
π **Privileges**: Escalate from any role to **Owner**. π **Data Access**: Full read/write access to all projects, servers, and configurations.β¦
β οΈ **Threshold**: **Low**. πͺ **Auth Required**: Yes, the attacker must be an **authenticated user**. π« **No Auth Bypass**: Does not require anonymous access. π― **Ease**: **Low Complexity (AC:L)**.β¦
π« **Public Exploit**: **No**. π **PoC**: None listed in the advisory. π **Wild Exploitation**: Unconfirmed. However, the logic flaw is simple, so PoCs may emerge quickly.β¦
π **Check**: Verify your Coolify version in the dashboard. π **Date**: Published 2025-01-24. π οΈ **Scan**: Look for version **< 4.0.0-beta.361**.β¦
β **Fixed**: **Yes**. π¦ **Patch**: Upgrade to **Coolify 4.0.0-beta.361** or newer. π **Source**: Official GitHub Security Advisory (GHSA-9w72-9qww-qj6g). π **Action**: Immediate update recommended for all beta users.
Q9What if no patch? (Workaround)
π‘οΈ **Workaround**: If you cannot update immediately, **restrict user creation**. π₯ **Limit Access**: Only allow trusted admins. π **Network**: Isolate the Coolify instance from untrusted networks.β¦
π₯ **Urgency**: **CRITICAL**. π¨ **Priority**: **P1**. β‘ **Reason**: CVSS Vector shows **High** impact (C:H, I:H, A:H) and **Low** complexity. π’ **Action**: Patch immediately. This allows any user to become the owner.β¦