CVE-2026-34050 in Coolify
Summary
by MITRE • 07/06/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in its mount method, allowing non-admin users to access the Updates settings page and potentially modify auto-update settings or trigger update checks. This issue is fixed in version 4.0.0-beta.471.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability identified in Coolify versions prior to 4.0.0-beta.471 represents a critical authorization flaw that undermines the application's security model and access control mechanisms. This issue resides within the Settings/Updates Livewire component where the system fails to properly validate user permissions before granting access to administrative functions. The absence of proper authentication checks in the mount method creates an unauthorized access vector that allows any authenticated user to navigate to the Updates settings page regardless of their administrative privileges.
The technical implementation flaw stems from insufficient privilege validation within the Livewire component architecture. When users access the Settings/Updates section, the system should verify whether the requesting user possesses administrative rights through the isInstanceAdmin check before rendering the page content. Without this verification, non-administrative users can bypass normal access controls and gain visibility into update configuration parameters that should remain restricted to authorized administrators only. This misconfiguration aligns with CWE-285, which addresses improper authorization issues in software systems where access controls are not properly enforced.
The operational impact of this vulnerability extends beyond simple information disclosure, as it potentially enables malicious actors or compromised user accounts to manipulate critical system update configurations. An attacker who gains access to a non-administrative account could theoretically trigger unauthorized update checks, modify auto-update settings, or potentially disrupt the application's update workflow. This capability represents a significant escalation in privileges that could lead to system instability, denial of service conditions, or even facilitate further attacks through compromised update processes.
From an attack perspective, this vulnerability maps to several ATT&CK techniques including privilege escalation and defense evasion. The issue allows for unauthorized modification of system settings without proper authentication checks, which can be leveraged to establish persistent access patterns or disrupt normal operational procedures. Security professionals should note that this type of authorization bypass is particularly dangerous in self-hosted environments where administrators may not have the same level of monitoring as cloud-based services.
The fix implemented in version 4.0.0-beta.471 addresses this vulnerability by incorporating proper administrative permission checks within the Livewire component's mount method. This ensures that only users with instance administrator privileges can access and modify update settings, aligning with security best practices for role-based access control. Organizations running affected versions should immediately implement the upgrade to prevent potential exploitation while also conducting thorough access control reviews to identify any other similar authorization gaps within their Coolify deployments.
This vulnerability serves as a reminder of the critical importance of proper authentication and authorization checks in web applications, particularly those handling system-level configurations. The implementation of such controls should follow established security frameworks that enforce least privilege principles and maintain clear separation between user roles and administrative functions. Regular security audits and code reviews focusing on access control mechanisms can help identify similar issues before they can be exploited in production environments.