Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional uuid query parameter is provided. Any authenticated API user can enumerate domain names (FQDNs) of applications belonging to other teams. This vulnerability is fixed in 4.0.0-beta.464.
Published: 2026-06-30
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows any authenticated API user to retrieve Fully Qualified Domain Names (FQDNs) for applications that belong to teams other than the user’s own. This cross‑team enumeration of domain names is a disclosure of potentially sensitive infrastructure information. The weakness is identified as CWE‑639, which pertains to improper restriction of resources or information based on user identity.

Affected Systems

Open‑Source Coolify deployments from coollabsio are affected. The issue exists in all releases prior to 4.0.0‑beta.464; later versions contain a fix that restores proper team scoping for the domains endpoint.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and no EPSS score is available, suggesting limited public exploitation data. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated to the API, so the risk is primarily to internal users with broader access than intended. By enumerating domain names, a malicious actor could map the organization’s application landscape, aiding further targeted attacks.

Generated by OpenCVE AI on June 30, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Coolify to version 4.0.0‑beta.464 or later to enforce team scoping for the domains endpoint
  • If a patch cannot be applied immediately, restrict API permissions for users that should not access other teams’ domain data, or disable the domains endpoint for non‑authenticated requests
  • Audit API usage logs to detect and investigate unauthorized domain enumeration attempts

Generated by OpenCVE AI on June 30, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional uuid query parameter is provided. Any authenticated API user can enumerate domain names (FQDNs) of applications belonging to other teams. This vulnerability is fixed in 4.0.0-beta.464.
Title Coolify: Cross-team application domain enumeration via domains_by_server endpoint
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T15:06:17.965Z

Reserved: 2026-02-25T03:11:36.691Z

Link: CVE-2026-27956

cve-icon Vulnrichment

Updated: 2026-06-30T15:06:10.693Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:30:16Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key