Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Requires authenticated Coolify account (PR:L) over the network (AV:N); crosses team authorization boundary (S:C) with limited read-only confidentiality impact (C:L) and no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the GET /api/v1/deployments/{uuid} endpoint allows any authenticated user to access deployment details belonging to any team, bypassing team-based authorization. The $teamId is extracted from the authentication token but never used to scope the database query. This vulnerability is fixed in 4.0.0-beta.464.
AnalysisAI
{uuid} endpoint extracts the requesting user's teamId from their authentication token but never applies it to scope the underlying database query, meaning any valid UUID is sufficient to retrieve another team's data. Exploitation requires a valid Coolify account; no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid, authenticated Coolify user account at any privilege level (PR:L), meaning the attacker must first obtain credentials for the target instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N yields a score of 5.0 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user on a shared Coolify instance observes deployment UUIDs referenced in the application UI or API responses for their own team, then systematically queries GET /api/v1/deployments/{uuid} substituting UUIDs from other teams' deployments. Because the server performs no team ownership check, it returns full deployment details - potentially including service names, server references, environment configurations, and deployment history - for resources the attacker has no legitimate access to. … |
| Remediation | Upgrade Coolify to version 4.0.0-beta.464 or later, which resolves the authorization bypass by correctly scoping the deployment lookup query to the authenticated user's team. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40331