Skip to main content

Coolify CVE-2026-57498

| EUVDEUVD-2026-40222 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-29 GitHub_M
9.6
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
9.6 CRITICAL

Authenticated team member required (PR:L) over the network with no interaction; IDOR lets one tenant reach another's resources (S:C, C:H/I:H); availability not clearly impacted per advisory (A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 29, 2026 - 22:02 EUVD
Analysis Generated
Jun 29, 2026 - 20:32 vuln.today

DescriptionCVE.org

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId($teamId) before any operation. However, multiple Livewire web UI components accept server_id and destination_uuid from URL query parameters without any team ownership validation, allowing cross-team resource deployment. This vulnerability is fixed in 4.0.0-beta.474.

AnalysisAI

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated, low-privileged member of one team to deploy and manipulate resources belonging to other teams. While the REST API controllers correctly enforce ownership via Server::whereTeamId($teamId), several Livewire web UI components trust attacker-supplied server_id and destination_uuid URL query parameters with no team-ownership check (CWE-639). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-priv team member
Delivery
Open vulnerable Livewire UI page
Exploit
Set server_id/destination_uuid to victim team's IDs
Execution
Component skips team-ownership check
Impact
Deploy/manipulate cross-team resources

Vulnerability AssessmentAI

Exploitation The attacker must be an authenticated Coolify user holding a (low-privilege) team account on the target instance (PR:L), and the instance must be multi-tenant with more than one team so cross-team resource references exist. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent toward elevated risk but exploitation is bounded by authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged but authenticated member of Team A logs into a shared Coolify instance, then opens a deployment-related Livewire page and edits the server_id and destination_uuid URL query parameters to values belonging to Team B. Because the UI component does not re-check team ownership, Coolify deploys or manipulates resources on Team B's server on the attacker's behalf, compromising another tenant's environment. …
Remediation Upgrade to Coolify 4.0.0-beta.474, which adds team-ownership validation to the affected Livewire components; this is the primary and recommended fix (Vendor-released patch: 4.0.0-beta.474, per GHSA-725v-f5gh-22q9 at https://github.com/coollabsio/coolify/security/advisories/GHSA-725v-f5gh-22q9). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all active Coolify deployments and classify by multi-tenancy usage; although no public exploit has been identified at time of analysis, immediately restrict non-administrative user access to Livewire web UI components while preserving API-only access where possible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-59157 CRITICAL POC
9.9 Jan 05

Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo

CVE-2025-66209 CRITICAL POC
9.9 Dec 23

A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application

CVE-2025-64420 CRITICAL POC
9.9 Jan 05

Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba

CVE-2025-64419 CRITICAL POC
9.6 Jan 05

Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap

CVE-2026-34594 HIGH POC
8.8 Jun 29

Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss

CVE-2026-34597 HIGH POC
8.8 Jun 29

Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica

CVE-2025-64424 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]

CVE-2025-59156 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0

CVE-2025-66211 HIGH POC
8.8 Dec 23

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers

CVE-2025-66210 HIGH POC
8.8 Dec 23

A command injection vulnerability in Coolify's Database Import functionality allows authenticated users with application

CVE-2025-66213 HIGH POC
8.8 Dec 23

An authenticated command injection vulnerability in Coolify's File Storage Directory Mount Path functionality allows use

CVE-2025-66212 HIGH POC
8.8 Dec 23

An authenticated command injection vulnerability in Coolify's Dynamic Proxy Configuration Filename handling allows users

Share

CVE-2026-57498 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy