Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Authenticated web action (PR:L, AV:N, AC:L) with no user interaction; tenant-boundary bypass justifies S:C, with high confidentiality/integrity over cross-team resources and low availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an authenticated user to clone resources into destinations owned by other teams and access cross-tenant resources. This issue is fixed in version 4.0.0-beta.464.
Articles & Coverage 1
AnalysisAI
Cross-tenant resource access in Coolify (self-hosted PaaS) before 4.0.0-beta.464 lets an authenticated user of one team clone resources into, and access resources owned by, other teams. The cloneTo() Livewire action in ResourceOperations.php checks authorization on the source resource but resolves destination resources with unscoped Eloquent lookups, breaking multi-tenant isolation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated Coolify account (CVSS PR:L) and a multi-tenant deployment where more than one team exists - the attacker must be able to reference a destination resource ID owned by a different team, which is the concrete prerequisite since single-team instances have no cross-tenant target. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L yields 9.9 driven largely by the scope change (S:C) reflecting one tenant reaching another tenant's data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker signs up for or already holds a low-privileged account on a shared Coolify instance that hosts multiple teams. Using the clone feature, they invoke the cloneTo() Livewire action with a destination identifier belonging to another team, and because the destination is resolved without a team scope, they clone into and read resources owned by that victim tenant. … |
| Remediation | Vendor-released patch: upgrade to Coolify 4.0.0-beta.464 or later, which adds team scoping to destination resource resolution in the cloneTo() action (fixing commit 1759a1631cd63271ebf6caa250c6d93440eaa333; advisory GHSA-ggrr-wrvr-x83v at https://github.com/coollabsio/coolify/security/advisories/GHSA-ggrr-wrvr-x83v; release https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.464). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Coolify deployments and identify versions; review access logs for anomalous cross-team resource cloning activity between teams. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41996