Andras Bacsai
336fa0c714
This commit addresses a critical security vulnerability where low-privileged
users (members) could invite high-privileged users (admins/owners) to teams,
allowing them to escalate their own privileges through password reset.
Root Causes Fixed:
1. TeamPolicy authorization checks were commented out, allowing all team
members to manage invitations instead of just admins/owners
2. Missing role elevation checks in InviteLink component allowed members
to invite users with higher privileges
Security Fixes:
1. app/Policies/TeamPolicy.php
- Uncommented and enforced authorization checks for:
* update() - Only admins/owners can update team settings
* delete() - Only admins/owners can delete teams
* manageMembers() - Only admins/owners can manage team members
* viewAdmin() - Only admins/owners can view admin panel
* manageInvitations() - Only admins/owners can manage invitations
2. app/Livewire/Team/InviteLink.php
- Added explicit role elevation checks to prevent:
* Members from inviting admins or owners
* Admins from inviting owners (defense-in-depth)
- Validates that inviter has sufficient privileges for target role
Test Coverage:
1. tests/Feature/TeamPolicyTest.php
- 24 comprehensive tests covering all policy methods
- Tests for owner, admin, member, and non-member access
- Specific tests for the privilege escalation vulnerability
2. tests/Feature/TeamInvitationPrivilegeEscalationTest.php
- 11 tests covering all role elevation scenarios
- Tests member → admin/owner escalation (blocked)
- Tests admin → owner escalation (blocked)
- Tests valid invitation paths for each role
Impact:
- Prevents privilege escalation attacks
- Protects all Coolify instances from unauthorized access
- Enforces proper role hierarchy in team management
References:
- Identified by Aikido AI whitebox pentest service
- CVE: Pending assignment
- Severity: Critical
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
About the Project
Coolify is an open-source & self-hostable alternative to Heroku / Netlify / Vercel / etc.
It helps you manage your servers, applications, and databases on your own hardware; you only need an SSH connection. You can manage VPS, Bare Metal, Raspberry PIs, and anything else.
Imagine having the ease of a cloud but with your own servers. That is Coolify.
No vendor lock-in, which means that all the configurations for your applications/databases/etc are saved to your server. So, if you decide to stop using Coolify (oh nooo), you could still manage your running resources. You lose the automations and all the magic. 🪄️
For more information, take a look at our landing page at coolify.io.
Installation
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash
You can find the installation script source here.
Note
Please refer to the docs for more information about the installation.
Support
Contact us at coolify.io/docs/contact.
Cloud
If you do not want to self-host Coolify, there is a paid cloud version available: app.coolify.io
For more information & pricing, take a look at our landing page coolify.io.
Why should I use the Cloud version?
The recommended way to use Coolify is to have one server for Coolify and one (or more) for the resources you are deploying. A server is around 4-5$/month.
By subscribing to the cloud version, you get the Coolify server for the same price, but with:
- High-availability
- Free email notifications
- Better support
- Less maintenance for you
Donations
To stay completely free and open-source, with no feature behind the paywall and evolve the project, we need your help. If you like Coolify, please consider donating to help us fund the project's future development.
Thank you so much!
Big Sponsors
- 23M - Your experts for high-availability hosting solutions!
- Algora - Open source contribution platform
- American Cloud - US-based cloud infrastructure services
- Arcjet - Advanced web security and performance solutions
- BC Direct - Your trusted technology consulting partner
- Blacksmith - Infrastructure automation platform
- Brand.dev - API to personalize your product with logos, colors, and company info from any domain
- ByteBase - Database CI/CD and Security at Scale
- CodeRabbit - Cut Code Review Time & Bugs in Half
- COMIT - New York Times award–winning contractor
- CompAI - Open source compliance automation platform
- Convex - Open-source reactive database for web app developers
- CubePath - Dedicated Servers & Instant Deploy
- Darweb - Design. Develop. Deliver. Specialized in 3D CPQ Solutions
- Formbricks - The open source feedback platform
- GoldenVM - Premium virtual machine hosting solutions
- Gozunga - Seriously Simple Cloud Infrastructure
- Hetzner - Server, cloud, hosting, and data center solutions
- Hostinger - Web hosting and VPS solutions
- JobsCollider - 30,000+ remote jobs for developers
- Juxtdigital - Digital PR & AI Authority Building Agency
- LiquidWeb - Premium managed hosting solutions
- Logto - The better identity infrastructure for developers
- Macarne - Best IP Transit & Carrier Ethernet Solutions for Simplified Network Connectivity
- Mobb - Secure Your AI-Generated Code to Unlock Dev Productivity
- PFGLabs - Build Real Projects with Golang
- Ramnode - High Performance Cloud VPS Hosting
- SaasyKit - Complete SaaS starter kit for developers
- SupaGuide - Your comprehensive guide to Supabase
- Supadata AI - Scrape YouTube, web, and files. Get AI-ready, clean data
- Syntax.fm - Podcast for web developers
- Tigris - Modern developer data platform
- Tolgee - The open source localization platform
- Ubicloud - Open source cloud infrastructure platform
Small Sponsors
...and many more at GitHub Sponsors
Recognitions
Core Maintainers
| Andras Bacsai | 🏔️ Peak |
|---|---|
 |
 |
   |
|
Repo Activity
