Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
PR:L for required authentication; S:C for cross-team boundary violation; C:H because exposed SSH outputs routinely contain credentials enabling downstream infrastructure compromise.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire's #[Locked] attribute. It loads activities via Activity::find($this->activityId) with no authorization or team scoping. Activity IDs are auto-incrementing integers. Any authenticated user can enumerate activity records across all teams and read the full command output from remote SSH processes, which may include secrets, configuration files, and infrastructure details. This issue is fixed in version 4.0.0-beta.471.
AnalysisAI
Insecure Direct Object Reference (IDOR) in Coolify's ActivityMonitor Livewire component allows any authenticated user to enumerate and read activity records belonging to other teams, including full SSH process command outputs that may contain secrets, credentials, and infrastructure configuration details. Affected are all Coolify self-hosted deployments prior to version 4.0.0-beta.471. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated user account on the Coolify instance (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.0 with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N reflects a medium-severity rating, but the C:L assignment likely understates real-world impact: SSH process outputs intercepted via this flaw can contain private keys, plaintext passwords, API tokens, and server configuration secrets that enable full infrastructure compromise beyond Coolify itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privilege user on a shared Coolify instance navigates to the ActivityMonitor component and intercepts the Livewire network request. They replace the activityId value with sequential integers - 1, 2, 3, and so on - in their browser's developer tools or a proxy, iterating through all activities recorded on the system. … |
| Remediation | Upgrade to Coolify version 4.0.0-beta.471 or later, which adds the Livewire #[Locked] attribute to $activityId and enforces team-scoped authorization on activity lookups, as detailed in the security advisory at https://github.com/coollabsio/coolify/security/advisories/GHSA-962v-gxmw-56hc and the pull request at https://github.com/coollabsio/coolify/pull/9189. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41959