Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available.
Coolify improperly secures access to stored authentication data (CWE-522 — insufficiently protected authentication data). A logged-in user with low privileges is able to read the private SSH key belonging to the root account on the server hosting Coolify. With this key, an attacker can establish an SSH connection directly to the server and authenticate as root, completely bypassing standard access control mechanisms.
An attacker gains full access to the server with root privileges, enabling system takeover, reading and modifying all data, and further lateral movement within the infrastructure.
At the time of CVE publication, patch availability status was unclear. Monitor the official project repository (https://github.com/coollabsio/coolify) and GHSA advisory qwxj-qch7-whpc, and apply patches according to vendor references immediately upon release. Until patched, restrict access to Coolify instances to trusted users only and rotate root SSH keys.
Coolify (Coollabs) in versions up to v4.0.0-beta.434 inclusive
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HCoollabs Coolify
APPCoollabs4.0.0< 4.0.0
Related vulnerabilities
Stored XSS w Coolify — atak przez złośliwą nazwę projektu
Command injection w Coolify via docker-compose.yaml — RCE jako root
RCE w Coolify — command injection w konfiguracji Docker Compose
Command injection w polu Git Repository w Coolify
Command injection w Coolify — wykonanie poleceń jako root przez użytkownika