CVE 9.6 CRITICAL

Coolify Cross-Team IDOR: Livewire Components Accept Unscoped server_id and destination_uuid — Deploy to Other Teams’ Servers_CVE-2026-57498

9.6 / 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId($teamId) before any operation. However, multiple Livewire web UI components accept server_id and destination_uuid from URL query parameters without any team ownership validation, allowing cross-team resource deployment. This vulnerability is fixed in 4.0.0-beta.474.

AI Analysis

Cross-team IDOR vulnerability in Coolify's Livewire web UI components

Basic Information

ID CVE-2026-57498
Source GitHub_M
Published Jun 29, 2026 at 20:12

Affected Product

Vendor coollabsio
Product coolify
Version < 4.0.0-beta.474
Affected Versions coollabsio coolify < 4.0.0-beta.474

CWE Classification

AI Assessment

AI Score 9.6 / 10
AI Severity Critical
Vendor coollabsio
Product Coolify
Version < 4.0.0-beta.474

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.