Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Authenticated API access required (PR:L); discloses only domain names (C:L); no write or availability impact; scope unchanged within the application boundary.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid} bypasses team scoping when the optional uuid query parameter is provided. Any authenticated API user can enumerate domain names (FQDNs) of applications belonging to other teams. This vulnerability is fixed in 4.0.0-beta.464.
AnalysisAI
{server_uuid}/domains endpoint silently drops team-scope enforcement when the optional uuid query parameter is supplied, producing a classic IDOR (CWE-639) condition where a user-controlled key bypasses authorization. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified, but the low attack complexity and single authentication prerequisite make the flaw trivially exploitable by any tenant in a multi-tenant Coolify deployment.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid Coolify API authentication credential belonging to any team on the instance (PR:L - at least low-privilege authenticated access is mandatory; unauthenticated exploitation is not possible per the CVSS PR:L rating). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N is well-calibrated: the attack is network-reachable with low complexity and requires only a valid API credential (PR:L), but impact is limited strictly to confidentiality of domain names (C:L) with no integrity or availability consequence (I:N/A:N, S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds valid API credentials on a shared Coolify instance - for example, a legitimate tenant or a user whose credentials were compromised - sends authenticated GET requests to /api/v1/servers/{known_server_uuid}/domains?uuid={target_app_uuid}, iterating or guessing application UUIDs. The server returns the FQDNs configured for that application without enforcing team membership, allowing the attacker to map the domain names and internal hostnames of applications belonging to other teams. … |
| Remediation | Upgrade to Coolify 4.0.0-beta.464 or any later release; this version is confirmed by the vendor to contain the fix per GitHub Security Advisory GHSA-9x6p-29p3-h466 (https://github.com/coollabsio/coolify/security/advisories/GHSA-9x6p-29p3-h466). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40333