CVE Catalog

CVE-2026-57498

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile — higher than 13% of all known CVEs

Summary

Coolify prior to version 4.0.0-beta.474 has a vulnerability where Livewire web UI components accept server_id and destination_uuid from URL query parameters without team ownership validation. This allows cross-team resource deployment on servers belonging to other teams.

Risk Assessment

An attacker can exploit this flaw to deploy applications or services on servers of other teams, leading to unauthorized data access and potential infrastructure takeover.

Recommendation

Upgrade Coolify to version 4.0.0-beta.474 or later immediately, which fixes the missing server ownership validation in Livewire components.

Original NVD description (English source)

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId($teamId) before any operation. However, multiple Livewire web UI components accept server_id and destination_uuid from URL query parameters without any team ownership validation, allowing cross-team resource deployment. This vulnerability is fixed in 4.0.0-beta.474.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS