Skip to main content

Coolify CVE-2026-34044

| EUVDEUVD-2026-41991 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-07 GitHub_M
7.7
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.7 HIGH

Any authenticated user (PR:L) can trigger the network log endpoint with low complexity; cross-team access crosses a trust boundary (S:C) exposing logs (C:H) with no write or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 07, 2026 - 05:01 EUVD
Analysis Generated
Jul 07, 2026 - 04:05 vuln.today

DescriptionCVE.org

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the Logs::mount() component looks up resources by UUID without scoping the lookup to the current team, allowing an authenticated user to access logs for applications owned by other teams by supplying a victim resource UUID. This issue is fixed in version 4.0.0-beta.466.

AnalysisAI

Cross-tenant log disclosure in Coolify (self-hosted PaaS) before 4.0.0-beta.466 lets any authenticated user read application logs belonging to other teams by supplying a victim resource's UUID. The Logs::mount() component resolves resources by UUID alone without verifying the caller's team ownership, breaking the multi-tenant isolation boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege Coolify user
Delivery
Obtain victim application resource UUID
Exploit
Request logs via Logs::mount() with victim UUID
Execution
Bypass missing team-scope check
Impact
Read other team's application logs

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Coolify account (PR:L) on an instance running a version prior to 4.0.0-beta.466, plus knowledge of a target application's resource UUID owned by a different team. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N = 7.7) is internally consistent with an IDOR: network-reachable, low complexity, requires a low-privilege authenticated account (any valid Coolify user), no user interaction, and a scope change reflecting cross-tenant boundary crossing with high confidentiality impact and no integrity/availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or is invited to a low-privilege account on a shared Coolify instance, then obtains or guesses another team's application resource UUID (e.g., from a shared link, screenshot, or enumeration) and requests its logs view. The Logs::mount() component returns the victim team's application logs without an ownership check, exposing runtime output that may include secrets, connection strings, or user data. …
Remediation Vendor-released patch: upgrade to Coolify 4.0.0-beta.466 or later, which adds team scoping to the Logs::mount() resource lookup (release: https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.466; advisory: https://github.com/coollabsio/coolify/security/advisories/GHSA-565g-9j4m-wqmr). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Coolify instances in production and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-59157 CRITICAL POC
9.9 Jan 05

Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo

CVE-2025-66209 CRITICAL POC
9.9 Dec 23

A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application

CVE-2025-64420 CRITICAL POC
9.9 Jan 05

Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba

CVE-2026-57498 CRITICAL POC
9.6 Jun 29

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,

CVE-2025-64419 CRITICAL POC
9.6 Jan 05

Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap

CVE-2025-34161 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo

CVE-2025-34159 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d

CVE-2026-34594 HIGH POC
8.8 Jun 29

Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss

CVE-2026-34597 HIGH POC
8.8 Jun 29

Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica

CVE-2025-64424 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]

CVE-2025-59156 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0

CVE-2025-66211 HIGH POC
8.8 Dec 23

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers

Share

CVE-2026-34044 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy