CVE-2026-34050 Overview
Coolify is an open-source, self-hostable platform for managing servers, applications, and databases. CVE-2026-34050 is a missing authorization vulnerability [CWE-862] in the Settings/Updates Livewire component. The mount() method fails to invoke isInstanceAdmin(), allowing any authenticated non-admin user to reach the Updates settings page. Authenticated attackers can modify auto-update settings or trigger update checks that should be restricted to instance administrators. The flaw is fixed in Coolify version 4.0.0-beta.471.
Critical Impact
Authenticated non-admin users can access instance-wide update configuration and trigger update actions reserved for administrators, undermining the integrity of the Coolify deployment.
Affected Products
- Coolify versions prior to 4.0.0-beta.471
- Self-hosted Coolify deployments with multiple authenticated users
- Coolify instances where non-admin roles exist alongside instance administrators
Discovery Timeline
- 2026-07-06 - CVE-2026-34050 published to NVD
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-34050
Vulnerability Analysis
The vulnerability resides in the app/Livewire/Settings/Updates.php component. Livewire components in Coolify are expected to enforce role checks inside the mount() lifecycle method before rendering privileged pages. The Updates component omitted this check entirely.
Any authenticated user with a session, regardless of role, could navigate to the Updates settings route. From there, they could interact with update-related controls including auto-update toggles and manual update triggers. The Common Weakness Enumeration classification is [CWE-862] Missing Authorization.
Because update mechanisms influence which software versions run on the Coolify host, unauthorized modification affects the integrity of the managed environment. The EPSS score of 0.213% reflects low near-term exploitation likelihood, but the flaw is trivial to reach for any user already holding credentials.
Root Cause
The mount() method in the Updates Livewire component did not invoke the isInstanceAdmin() helper. Authorization was implicitly assumed based on route registration rather than enforced at the component level, leaving the page reachable by any authenticated principal.
Attack Vector
An attacker requires valid, non-privileged credentials to a Coolify instance. The attacker sends an authenticated HTTP request to the Updates settings route. The Livewire component renders and processes actions without checking administrator status, exposing update controls to the low-privilege session.
// Security patch in app/Livewire/Settings/Updates.php
// Adds instance admin authorization to the mount() method
public function mount()
{
+ if (! isInstanceAdmin()) {
+ return redirect()->route('dashboard');
+ }
if (! isCloud()) {
$this->server = Server::findOrFail(0);
}
Source: Coolify commit 0fed5532
Detection Methods for CVE-2026-34050
Indicators of Compromise
- HTTP requests to the Coolify Updates settings route originating from user sessions that do not belong to instance administrators
- Unexpected changes to auto-update configuration values in Coolify settings storage
- Livewire action calls targeting Settings/Updates component methods from non-admin session identifiers
- Update check events triggered outside of documented administrator activity windows
Detection Strategies
- Correlate authenticated session identifiers with role assignments in application logs to flag non-admin access to /settings/updates
- Alert on Livewire component invocations of Settings.Updates where the acting user lacks the instance admin role
- Baseline the frequency of update-check triggers and alert on anomalous manual invocations
Monitoring Recommendations
- Enable verbose access logging on the Coolify reverse proxy and retain HTTP paths, user identifiers, and timestamps
- Forward Coolify application and web server logs to a centralized log platform for role-based query analysis
- Track configuration diffs on Coolify settings tables to identify unauthorized modifications to update behavior
How to Mitigate CVE-2026-34050
Immediate Actions Required
- Upgrade Coolify to version 4.0.0-beta.471 or later, which enforces isInstanceAdmin() in the Updates component
- Audit the Coolify user list and revoke accounts that are no longer required to reduce the authenticated attack surface
- Review recent update-related configuration changes and revert any unauthorized modifications
Patch Information
The fix is delivered in Coolify 4.0.0-beta.471. The patch adds an isInstanceAdmin() guard to the mount() method of app/Livewire/Settings/Updates.php, redirecting non-admin users to the dashboard. Full technical details are available in the Coolify GitHub Security Advisory GHSA-c339-w3cq-2rjr and the associated pull request #9206.
Workarounds
- Restrict network access to the Coolify management interface using a reverse proxy allow-list until the upgrade is applied
- Enforce multi-factor authentication and limit account provisioning to trusted operators while running an unpatched version
- Temporarily disable non-admin user accounts on instances where an immediate upgrade is not feasible
# Verify the installed Coolify version and upgrade to the patched release
docker exec coolify sh -c 'cat /app/versions.json' | grep version
# Pull the patched Coolify release (4.0.0-beta.471 or later)
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

