Unauthorized Team Data Access in Coolify

Compliance Impact

This vulnerability allows authenticated users to access deployment details belonging to any team, bypassing team-based authorization. As a result, sensitive information such as environment variables, API keys, and database credentials may be exposed to unauthorized users.

Exposure of such sensitive data can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Therefore, this vulnerability undermines the multi-tenant isolation model and could result in non-compliance with common standards and regulations that mandate confidentiality and proper authorization mechanisms.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-27883 is an Insecure Direct Object Reference (IDOR) vulnerability in the Coolify Deployment API. It occurs because the GET /api/v1/deployments/{uuid} endpoint allows any authenticated user to access deployment details of any team, bypassing the intended team-based authorization.

The issue arises because the $teamId extracted from the authentication token is not used to limit the database query, allowing users to retrieve deployment metadata that does not belong to their team.

This metadata can include application names, server details, commit information, and sensitive build logs containing environment variables, API keys, and database credentials.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive deployment information across teams within the Coolify platform.

• Exposure of application names and server details.
• Access to commit information that could reveal development details.
• Potential leakage of sensitive build logs containing environment variables, API keys, and database credentials.

Such exposure can increase the risk of further attacks, including unauthorized access to systems and data breaches.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing whether an authenticated user can access deployment details of other teams via the GET /api/v1/deployments/{uuid} endpoint.

Since deployment UUIDs are exposed in API responses and webhook payloads, an authenticated user can attempt to enumerate these UUIDs and issue requests to the endpoint to verify if unauthorized access is possible.

A possible command to test this using curl would be:

• curl -H "Authorization: Bearer <token>" https://<coolify-server>/api/v1/deployments/<uuid>

Replace <token> with a valid authentication token and <uuid> with deployment UUIDs that belong to other teams. If the response returns deployment details not belonging to the authenticated user's team, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Coolify to version 4.0.0-beta.464 or later, where the vulnerability is fixed by adding team ownership verification to the deployment API endpoint.

Until the upgrade can be applied, restrict access to the GET /api/v1/deployments/{uuid} endpoint to only trusted users or teams, and monitor API usage for suspicious access patterns.

Additionally, review and rotate any potentially exposed sensitive information such as environment variables, API keys, and database credentials that might have been leaked due to this vulnerability.

Useful 0 Not Useful 0