Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the `GET /api/v1/deployments/{uuid}` endpoint allows any authenticated user to access deployment details belonging to any team, bypassing team-based authorization. The $teamId is extracted from the authentication token but never used to scope the database query. This vulnerability is fixed in 4.0.0-beta.464.
Published: 2026-06-30
Score: 5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an IDOR in the Deployment API of Coolify. An authenticated user can issue a GET request to /api/v1/deployments/{uuid} and obtain full deployment details belonging to any team. The request bypasses the intended team‑based authorization, exposing configuration and environment information that could reveal sensitive secrets. This flaw is classified as a medium‑severity information disclosure vulnerability (CWE‑639).

Affected Systems

Coolify installations on the coollabsio:coolify platform running any version prior to 4.0.0‑beta.464 are impacted. The vulnerability was remediated in version 4.0.0‑beta.464 and later releases are considered safe.

Risk and Exploitability

The CVSS score of 5 denotes moderate severity. Exploitation requires a valid authenticated session, so an attacker must first be able to log in to a Coolify instance. Because the EPSS score is unavailable and the issue is not listed in CISA’s KEV catalog, the current likelihood of exploitation is uncertain, but the attack vector is Local/Authenticated within the application. Accordingly, this vulnerability presents a moderate risk until a patch is applied.

Generated by OpenCVE AI on June 30, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Coolify version 4.0.0‑beta.464 or later. This patch removes the IDOR and enforces team‑based authorization on the Deployment API.
  • If an immediate upgrade is not possible, restrict access to the /api/v1/deployments endpoint so that only users belonging to the target team can invoke it, for example by applying firewall or reverse‑proxy rules that filter requests based on team membership.
  • Monitor API logs for unauthorized GET requests to /api/v1/deployments/{uuid} and investigate any anomalous activity.

Generated by OpenCVE AI on June 30, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the `GET /api/v1/deployments/{uuid}` endpoint allows any authenticated user to access deployment details belonging to any team, bypassing team-based authorization. The $teamId is extracted from the authentication token but never used to scope the database query. This vulnerability is fixed in 4.0.0-beta.464.
Title Coolify: IDOR in Deployment API - Cross-Team Deployment Information Disclosure
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T14:32:25.434Z

Reserved: 2026-02-24T15:19:29.716Z

Link: CVE-2026-27883

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:30:16Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key