Cross-Team Resource Deployment in Coolify

Executive Summary

CVE-2026-57498 is a critical security vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The issue arises because several Livewire web UI components accept server_id and destination_uuid parameters from URL query strings without validating if the user owns the targeted server or resource. While the API controllers properly check server ownership, these UI components bypass that validation, allowing unauthorized users to deploy containers or execute commands on servers belonging to other teams.

Specifically, the vulnerability is an Insecure Direct Object Reference (IDOR) flaw where unscoped queries retrieve servers or resources without verifying team ownership. This enables attackers to perform cross-team resource deployment and remote command execution by manipulating URL parameters.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Coolify allows unauthorized cross-team resource deployment and remote command execution due to missing team ownership validation in certain Livewire web UI components.

Such unauthorized access and control over resources can lead to data breaches or unauthorized data processing, which may violate common standards and regulations like GDPR and HIPAA that require strict access controls and data protection.

Therefore, this vulnerability could negatively impact compliance with these regulations by enabling unauthorized access to sensitive data or systems.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized deployment of containers to servers owned by other teams and execution of remote commands on those servers. Attackers can exploit the flaw to gain control over resources they should not have access to, potentially leading to data breaches, service disruption, or unauthorized access to sensitive environments.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for suspicious URL query parameters that include server_id and destination_uuid values which do not belong to the current team, indicating possible cross-team resource deployment attempts.

A Proof of Concept involves accessing URLs similar to: GET /project/{attacker_project}/{attacker_env}/new?type=one-click-service-wordpress&server_id=VICTIM_SERVER_ID&destination=VICTIM_DESTINATION_UUID.

To detect exploitation attempts on your system, you can search your web server logs for requests containing suspicious server_id and destination_uuid parameters that do not match authorized team resources.

• Use grep or similar tools to find suspicious requests in logs, e.g., `grep 'server_id=' /var/log/nginx/access.log` or `grep 'destination=' /var/log/nginx/access.log`.
• Check for unexpected SSH command executions or container deployments that do not align with team ownership.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Coolify to version 4.0.0-beta.474 or later, where this vulnerability has been fixed.

The fix involves ensuring that all server ownership validations are properly scoped to the current team by replacing unscoped queries with scoped ones, such as using whereHas to validate team ownership and Server::ownedByCurrentTeam()->find() for server lookups.

Until the upgrade is applied, restrict access to the affected Livewire web UI components and monitor for suspicious activity involving server_id and destination_uuid parameters.

Useful 0 Not Useful 0