Domain Enumeration in Coolify via Query Parameter

Executive Summary

CVE-2026-27956 is a vulnerability in Coolify versions up to 4.0.0-beta.406 that allows authenticated API users to bypass team scoping and enumerate domain names (FQDNs) of applications belonging to other teams.

This happens in the `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` endpoint when the optional uuid query parameter is provided. The endpoint performs a global query that does not filter by team, allowing unauthorized access to internal domain names, application structures, and deployment details.

The root cause is an authorization bypass through user-controlled key, classified as CWE-639.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any authenticated API user to access domain names and related application information of other teams without proper authorization.

Such unauthorized information disclosure can lead to exposure of internal infrastructure details, which could be leveraged for further attacks or reconnaissance.

Although the CVSS score is moderate (4.3), the impact includes confidentiality loss of internal domain and application data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable API endpoint with an authenticated user and observing if domain names of applications belonging to other teams are returned.

Specifically, sending a GET request to the endpoint `/api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` with valid authentication and checking if domain names from other teams are enumerated indicates the presence of the vulnerability.

A sample command using curl to test this could be:

• curl -H "Authorization: Bearer <token>" "https://<coolify-server>/api/v1/servers/<server_uuid>/domains?uuid=<app_uuid>"

If the response includes domain names from applications not belonging to the authenticated user's team, the vulnerability exists.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Coolify to version 4.0.0-beta.464 or later, where the vulnerability is fixed.

The fix involves adding proper team scoping to the `uuid` parameter path or modifying the `getDomainsByUuid()` function to accept and enforce team ID filtering.

Until the upgrade can be performed, restrict access to the vulnerable API endpoint to trusted users only and monitor API usage for suspicious enumeration attempts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows authenticated API users to enumerate domain names of applications belonging to other teams by bypassing team scoping. This unauthorized access to internal domain names and application details could lead to exposure of sensitive information.

Such unauthorized information disclosure may impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and protection of personal or confidential information.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Useful 0 Not Useful 0