CVE-2026-34592
HighCVSS 7.7Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
In Coolify prior to version 4.0.0-beta.471, server and project lookups are not scoped to the current team. An authenticated user can access servers and projects belonging to other teams by specifying their IDs directly.
Risk Assessment
The risk involves unauthorized access to sensitive data and configurations of servers and applications from other teams, potentially leading to information disclosure or system integrity compromise.
Recommendation
Immediately upgrade Coolify to version 4.0.0-beta.471 or later, which includes a fix that scopes lookups to the current team.
Original NVD description (English source)
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, Coolify server and project lookups are not scoped to the current team, allowing any authenticated user to access servers and projects belonging to other teams by specifying their IDs directly. This vulnerability is fixed in 4.0.0-beta.471.

