CVE-2026-34592
Received Received - Intake

Insecure Server and Project Access in Coolify Prior to 4.0.0-beta.471

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, Coolify server and project lookups are not scoped to the current team, allowing any authenticated user to access servers and projects belonging to other teams by specifying their IDs directly. This vulnerability is fixed in 4.0.0-beta.471.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-34592

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coolify coolify to 4.0.0-beta.471 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Coolify versions prior to 4.0.0-beta.471 allows any authenticated user to access servers and projects that belong to other teams by specifying their IDs directly. This happens because server and project lookups are not properly scoped to the current team, leading to unauthorized access.

Impact Analysis

This vulnerability can lead to unauthorized access to servers and projects of other teams within Coolify. An authenticated user could view sensitive information or resources that they should not have access to, potentially leading to data exposure or misuse.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Coolify to version 4.0.0-beta.471 or later, where the issue has been fixed.

Compliance Impact

This vulnerability allows any authenticated user to access servers and projects belonging to other teams by specifying their IDs directly, due to lack of proper scoping to the current team.

Such unauthorized access to data and resources could lead to violations of data protection and privacy regulations such as GDPR and HIPAA, which require strict access controls and data segregation to protect sensitive information.

Therefore, until fixed, this vulnerability potentially compromises compliance with these common standards and regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34592. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart