Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Authenticated team member required (PR:L) over the network with no interaction; IDOR lets one tenant reach another's resources (S:C, C:H/I:H); availability not clearly impacted per advisory (A:N).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId($teamId) before any operation. However, multiple Livewire web UI components accept server_id and destination_uuid from URL query parameters without any team ownership validation, allowing cross-team resource deployment. This vulnerability is fixed in 4.0.0-beta.474.
AnalysisAI
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated, low-privileged member of one team to deploy and manipulate resources belonging to other teams. While the REST API controllers correctly enforce ownership via Server::whereTeamId($teamId), several Livewire web UI components trust attacker-supplied server_id and destination_uuid URL query parameters with no team-ownership check (CWE-639). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be an authenticated Coolify user holding a (low-privilege) team account on the target instance (PR:L), and the instance must be multi-tenant with more than one team so cross-team resource references exist. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent toward elevated risk but exploitation is bounded by authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged but authenticated member of Team A logs into a shared Coolify instance, then opens a deployment-related Livewire page and edits the server_id and destination_uuid URL query parameters to values belonging to Team B. Because the UI component does not re-check team ownership, Coolify deploys or manipulates resources on Team B's server on the attacker's behalf, compromising another tenant's environment. … |
| Remediation | Upgrade to Coolify 4.0.0-beta.474, which adds team-ownership validation to the affected Livewire components; this is the primary and recommended fix (Vendor-released patch: 4.0.0-beta.474, per GHSA-725v-f5gh-22q9 at https://github.com/coollabsio/coolify/security/advisories/GHSA-725v-f5gh-22q9). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all active Coolify deployments and classify by multi-tenancy usage; although no public exploit has been identified at time of analysis, immediately restrict non-administrative user access to Livewire web UI components while preserving API-only access where possible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
A command injection vulnerability in Coolify's Database Import functionality allows authenticated users with application
An authenticated command injection vulnerability in Coolify's File Storage Directory Mount Path functionality allows use
An authenticated command injection vulnerability in Coolify's Dynamic Proxy Configuration Filename handling allows users
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40222