HIGHCVE-2026-34592Published 2026-06-29Modified 2026-06-29CNA GitHub_M

CVE-2026-34592: Coolify: Cross-Team IDOR via Unscoped Server and Project Lookups Exposes SSH Keys and Infrastructure

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, Coolify server and project lookups are not scoped to the current team, allowing any authenticated user to access servers and projects belonging to other teams by specifying their IDs directly. This vulnerability is fixed in 4.0.0-beta.471.

CVSS v3.1: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

coollabsio / coolify
< 4.0.0-beta.471

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References

https://github.com/coollabsio/coolify/security/advisories/GHSA-qfcc-2fm3-9q42

Metrics

Get notified