Coolify Privilege Escalation Vulnerability Allowing Low Privileged Users to Gain Admin Rights

A vulnerability in Coolify, an open-source tool for managing servers, applications, and databases, allows low privileged users to invite themselves as administrators. This issue affects Coolify versions through v4.0.0-beta.434. The vulnerability arises when a low privileged user attempts to invite a high privileged user; although the application initially rejects the request, a second attempt successfully sends the invitation. Once the low privileged user is granted admin rights, they can reset the password and log in as an administrator.

Impact

Exploitation of this vulnerability leads to unauthorized privilege escalation, allowing a low privileged user to gain administrative rights on the Coolify instance.

Reproduction

To reproduce this vulnerability, log in as a member and navigate to the '/team/members' section. Under 'Invite New Member', enter an email address you control and select 'admin' as the role. Click the 'Generate invite link' button twice. After the invitation is sent, open an incognito tab, initiate a password reset for the invited email address, and follow the instructions in the reset email. Once the password is reset, log in with the new admin credentials.