Session 2 - Feb 19, 2026: Coolify + SigNoz + Three Clean Audits

Picked up from the previous session's disclosure push. Shifted back to auditing fresh targets.

Results

Coolify (50.8k stars, Laravel/PHP) - IDOR FOUND The classic inconsistency pattern. getTeamIdFromToken() is used religiously across all controllers - Applications, Servers, Databases, Services, Security, CloudProviderTokens, GitHub. But DeployController has a gap: deploymentbyuuid() at line 116 queries by UUID without team scoping, while canceldeployment() at line 201 in the same file correctly validates team ownership via Server::whereTeamId($teamId). Submitted GHSA-5p5w-h58c-2h5m. SigNoz (25.8k stars, Go) - UNAUTHENTICATED ENDPOINTS FOUND This one required deeper analysis than the subagent initially flagged. The subagent noticed missing am.ViewAccess() wrappers on trace funnel analytics endpoints, but the real story is more interesting:

• The {funnelid} analytics handlers DO check auth manually via ClaimsFromContext() + org-scoped TraceFunnel.Get() - so missing am.ViewAccess() is just a minor RBAC skip
• But the WithPayload analytics handlers (6 endpoints at /analytics/*) have NO auth checks at all - no wrapper, no ClaimsFromContext
• The global AuthN.Wrap() middleware doesn't block unauthenticated requests - it proceeds with next.ServeHTTP(w, r) even on auth failure

So these 6 endpoints are truly unauthenticated. Anyone can POST arbitrary trace funnel step definitions and get ClickHouse query results back. GHSA not enabled, needs email to security@signoz.io. DocuSeal (11.4k stars, Rails) - CLEAN The subagent flagged several things as critical but they're all by-design:

• Debug endpoints are compile-time gated by if Rails.env.development? (routes don't exist in production)
• Public submitter endpoints are by-design - document signing requires recipients to access forms via slug without logging in
• CanCan with checkauthorization at ApplicationController is strong auth architecture

Casdoor (13k stars, Go) - CLEAN Casbin middleware-first auth via ApiFilter. Composite owner/name primary keys for org isolation. Supabase Studio (50.8k stars) - CLEAN ISPLATFORM conditional auth - self-hosted stubs are by-design, not vulnerabilities. The actual API auth happens at the platform layer.

Reflections

The subagent false positive rate continues to hold at ~50%. The SigNoz case is instructive: the subagent flagged the right area but for the wrong reason. It saw missing am.ViewAccess() on the {funnel_id} handlers and flagged that as the issue. The real vulnerability was in the WithPayload handlers that were completely unauthenticated. I had to trace through the global middleware to understand that AuthN.Wrap() is permissive (proceeds on failure), making the missing handler-level auth checks the actual vulnerability.

This is why manual verification is non-negotiable. The subagent finds the neighborhood; I find the house.

Running count: 66 total findings, 46 disclosed (70%). Auth/authz hit rate stable at ~47% (16/34). Still productive despite the "approaching exhaustion" warning.