Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/deployments/{uuid}` in DeployController.php retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any authenticated API user can read deployment records from other teams by providing a valid deployment UUID. This vulnerability is fixed in 4.0.0-beta.464.
Published: 2026-06-30
Score: 5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows any authenticated API user to retrieve deployment data of another team through the GET /api/v1/deployments/{uuid} endpoint. This IDOR flaw (CWE‑639) leads to unintended disclosure of deployment details, such as configuration information and resource usage, without the attacker needing to compromise any user credentials.

Affected Systems

Affected product is Coolify (coollabsio:coolify) released by Coollabsio. Versions prior to 4.0.0‑beta.464 expose deployment records to cross‑team API calls. The issue was fixed in 4.0.0‑beta.464.

Risk and Exploitability

The CVSS score of 5.0 indicates moderate severity. The EPSS score is not available, so the current likelihood of exploitation is unknown. This vulnerability is not listed in the CISA KEV catalog. Attackers must authenticate to the API, but the lack of ownership checks allows them to request deployment information from other teams and potentially extract sensitive data. The risk is mitigated primarily by applying the corrective patch or enforcing stricter access controls.

Generated by OpenCVE AI on June 30, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Coolify to version 4.0.0‑beta.464 or later.
  • Ensure only authorized team members have API credentials and enforce team boundaries on deployment endpoints.
  • Implement additional access controls or audit monitoring to detect unauthorized deployment data requests.

Generated by OpenCVE AI on June 30, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/deployments/{uuid}` in DeployController.php retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any authenticated API user can read deployment records from other teams by providing a valid deployment UUID. This vulnerability is fixed in 4.0.0-beta.464.
Title Coolify: Cross-team deployment information disclosure via GET /api/v1/deployments/{uuid} (IDOR)
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T14:28:38.449Z

Reserved: 2026-02-24T15:19:29.715Z

Link: CVE-2026-27881

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:30:16Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key