HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-57498Published Modified CNA GitHub_M

CVE-2026-57498: Coolify Cross-Team IDOR: Livewire Components Accept Unscoped server_id and destination_uuid — Deploy to Other Teams' Servers

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId($teamId) before any operation. However, multiple Livewire web UI components accept server_id and destination_uuid from URL query parameters without any team ownership validation, allowing cross-team resource deployment. This vulnerability is fixed in 4.0.0-beta.474.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an insecure direct object reference (IDOR) vulnerability in Coolify, an open-source self-hostable server and application management platform. An authenticated user with a low-privilege account can reach the affected Livewire web UI components over the network and supply arbitrary server_id and destination_uuid query parameters that belong to a different team, bypassing the ownership checks that the API layer correctly enforces. Successful exploitation lets the attacker deploy workloads to servers owned by other teams and read or modify those servers' configurations. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-57498 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images that include any affected version of the coollabsio/coolify package, including custom-built images that bundle Coolify. Coverage applies to both registry scans and in-pipeline image checks.

Available
Triage

Triage is available with the CVSS 3.1 score of 9.6 (Critical) applied automatically, weighted further by each customer organization's compliance policy to reflect their actual exposure. Findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released upstream. In the interim, the finding remains open and visible in each affected environment's dashboard so teams can apply compensating controls immediately.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Coolify web UI over the network; the vulnerable Livewire components are exposed via the application's HTTP interface.

  • AuthenticationRequired

    Any low-privilege account within the Coolify instance is sufficient; the attacker does not need administrative credentials, only a valid session in a different team.

  • Victim interactionNot required

    No victim action is needed; the attacker crafts the query parameters directly and submits the request without any social-engineering step.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker simply supplies a known or guessed server_id or destination_uuid belonging to another team with no race conditions or special environment state required.

Blast Radius

  • Reads server configuration details and deployment targets belonging to other teams within the same Coolify instance.
  • Deploys attacker-controlled applications or workloads onto infrastructure owned by other teams, potentially exfiltrating data processed on those servers.
  • Modifies deployment destinations, allowing persistent access to or manipulation of cross-team server resources.

How HarborGuard Handles This

Available on HarborGuard: any image containing an affected version of coollabsio/coolify is flagged immediately upon scan, with the Critical CVSS 9.6 score surfaced in each customer's finding dashboard. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, an automated regression run and PR against affected workloads the moment a fix version is published. While waiting for an upstream patch, customers are advised to isolate Coolify instances using network policy so that access to the web UI is restricted to trusted internal networks or VPN; egress filtering on Coolify hosts can limit the blast radius of cross-team deployments. Teams that cannot apply network isolation immediately should audit Coolify user accounts and remove any accounts that do not require access, reducing the pool of principals who could exploit the IDOR.

See how HarborGuard automates this
Affected packages
  • coollabsio / coolify
    < 4.0.0-beta.474
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
References