Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.374, the missing authorization allows an authenticated user to retrieve any existing private keys on a coolify instance in plain text. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can execute arbitrary commands on the remote server. Version 4.0.0-beta.374 fixes the issue.
Lack of permission verification (missing authorization) allows an authenticated user to query API endpoints of a Coolify instance and read private SSH keys of other users without any access control. If the attacker's server configuration (IP address or domain, port, user account) matches the victim's server configuration, the stolen key can be used to establish an SSH connection and execute arbitrary commands on that server.
An attacker can gain full access to private SSH keys of all users on the instance, and under favorable conditions execute arbitrary commands (RCE) on remote servers managed by Coolify, which may result in complete infrastructure takeover.
Coolify should be updated to version 4.0.0-beta.374 or newer, which contains a patch eliminating missing authorization when reading private keys.
Coolify in versions before 4.0.0-beta.374 (all self-hosted instances).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCoollabs Coolify
APPCoollabs4.0.0< 4.0.0
Related vulnerabilities
Stored XSS w Coolify — atak przez złośliwą nazwę projektu
Command injection w Coolify via docker-compose.yaml — RCE jako root
RCE w Coolify — command injection w konfiguracji Docker Compose
Command injection w polu Git Repository w Coolify
Coolify: nieuprawniony dostęp do prywatnego klucza SSH użytkownika root