CVE Catalog

CVE-2026-34592

HighCVSS 7.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

In Coolify prior to version 4.0.0-beta.471, server and project lookups are not scoped to the current team. An authenticated user can access servers and projects belonging to other teams by specifying their IDs directly.

Risk Assessment

The risk involves unauthorized access to sensitive data and configurations of servers and applications from other teams, potentially leading to information disclosure or system integrity compromise.

Recommendation

Immediately upgrade Coolify to version 4.0.0-beta.471 or later, which includes a fix that scopes lookups to the current team.

Original NVD description (English source)

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, Coolify server and project lookups are not scoped to the current team, allowing any authenticated user to access servers and projects belonging to other teams by specifying their IDs directly. This vulnerability is fixed in 4.0.0-beta.471.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS