| عنوان | coolLabs Coolify 4.1.1 Missing Authorization |
|---|
| الوصف | Every Eloquent policy class in `app/Policies/` that governs resource lifecycle operations (applications, databases, services, servers, projects, environments, environment variables, service applications, service databases, application previews, application settings, notifications, resource creation) has had its method bodies replaced with an unconditional `return true;` (or `Response::allow()`). The original role/team check is preserved verbatim as a commented-out block above each stub, with the marker comment `// Authorization temporarily disabled`.
As a result, the documented `Role::MEMBER < Role::ADMIN < Role::OWNER` privilege hierarchy is not enforced for any resource-management operation. A team MEMBER can update, delete, deploy, and manage every resource owned by their team.
`TeamPolicy` is the only policy that remains correctly enforced, which strongly suggests the stubbing was an incomplete refactor rather than a deliberate role-model redesign.
Note: Password for zipped report is: <H(Eym7\Z5M]x"<4jj-0(n:"N4 |
|---|
| المصدر | ⚠️ https://github.com/lakshayyverma/CVE-Discovery/blob/main/coolify-resource-policy-stubs.zip |
|---|
| المستخدم | lakshay12311 (UID 91298) |
|---|
| ارسال | 02/06/2026 05:30 AM (1 شهر منذ) |
|---|
| الاعتدال | 12/07/2026 07:49 AM (1 month later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 377836 [coollabsio Coolify حتى 4.1.1 Policy /app/Policies/ تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|