Unauthorized Team Data Access in Coolify

Executive Summary

CVE-2026-27881 is an Insecure Direct Object Reference (IDOR) vulnerability in Coolify versions 4.0.0 and earlier. It occurs in the GET /api/v1/deployments/{uuid} API endpoint, where deployment details are retrieved without verifying that the deployment belongs to the authenticated user's team.

This means any authenticated API user can access deployment records from other teams by providing a valid deployment UUID, exposing sensitive information such as application and server identifiers, deployment URLs, commit details, and status information.

The vulnerability arises because the code fetches deployment data without checking team ownership, unlike other methods that properly validate ownership before proceeding.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of deployment information across different teams within Coolify. An attacker with valid authentication credentials can access deployment details that they should not have permission to see.

The exposed data includes sensitive deployment-related information such as application and server identifiers, deployment URLs, commit details, and status information, which could be used for further attacks or to gain insights into the infrastructure.

Although the attack requires authentication and valid UUIDs, the impact is moderate due to the potential leakage of confidential deployment data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access deployment details via the GET /api/v1/deployments/{uuid} endpoint using authenticated API credentials and checking if deployment records from other teams are accessible.

A practical approach is to use an HTTP client like curl to send authenticated requests with different deployment UUIDs and observe if the response includes deployment details that should not be accessible.

• Example command to test access with curl:
• curl -H "Authorization: Bearer <token>" https://<coolify-server>/api/v1/deployments/<uuid>

If deployment details from other teams are returned, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Coolify to version 4.0.0-beta.464 or later, where the vulnerability is fixed by validating team ownership before returning deployment details.

If upgrading is not immediately possible, restrict access to the API endpoint to trusted users only and monitor API usage for suspicious access patterns.

Additionally, ensure that authentication tokens are securely managed and consider implementing additional access controls or network-level restrictions to limit exposure.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Coolify allows authenticated users to access deployment details from other teams without proper authorization, leading to unauthorized information disclosure.

Such unauthorized access to potentially sensitive deployment data could impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Specifically, the failure to validate team ownership before disclosing deployment details may violate principles of data confidentiality and access control mandated by these standards.

Useful 0 Not Useful 0