CVE-2026-27881
MediumCVSS 5.0Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
Coolify prior to version 4.0.0-beta.464 has a vulnerability in the `GET /api/v1/deployments/{uuid}` endpoint that does not validate whether the deployment belongs to the authenticated user's team. Any authenticated API user can read deployment details from other teams by providing a valid deployment UUID.
Risk Assessment
The risk involves unauthorized access to sensitive deployment data of other teams, potentially leading to disclosure of application, database, or server configuration information.
Recommendation
Immediately update Coolify to version 4.0.0-beta.464 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/deployments/{uuid}` in DeployController.php retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any authenticated API user can read deployment records from other teams by providing a valid deployment UUID. This vulnerability is fixed in 4.0.0-beta.464.

