CVE-2026-34037
Received Received - Intake

Cross-Tenant Resource Cloning in Coolify

Vulnerability report for CVE-2026-34037, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an authenticated user to clone resources into destinations owned by other teams and access cross-tenant resources. This issue is fixed in version 4.0.0-beta.464.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify 4.0.0-beta.464

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-34037 is a critical security vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The issue lies in the cloneTo() Livewire action within ResourceOperations.php, where the source resource is authorized but the destination resource is resolved without proper team scoping. This allows an authenticated user to clone resources into destinations owned by other teams, effectively bypassing tenant isolation.

The vulnerability arises because the code does not verify that the destination resource belongs to the same team as the user, enabling cross-tenant resource cloning or moving. Attackers can exploit this by modifying requests to clone or move resources into other teams' infrastructure, potentially accessing or modifying resources they should not have access to.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to resources belonging to other teams, leading to potential data breaches and unauthorized modifications.

  • Attackers can clone or move resources into other teams' servers or environments.
  • They can deploy arbitrary Docker containers on victim infrastructure.
  • Attackers may inject resources into other teams' project views, compromising confidentiality and integrity.

Because the vulnerability allows cross-tenant access with low complexity and low privileges, it poses a high risk to the confidentiality, integrity, and availability of affected systems.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized cross-tenant cloning or moving of resources within the Coolify application. Specifically, an attacker might intercept and modify Livewire POST requests to change the destination resource ID to one belonging to another team.

To detect exploitation attempts, you can inspect network traffic for suspicious Livewire POST requests that include unexpected or unauthorized destination_id parameters.

Since the vulnerability involves unscoped Eloquent lookups and broken authorization in the cloneTo() and moveTo() functions, reviewing application logs for cloning or moving actions where the destination resource does not belong to the user's team can help identify potential abuse.

No specific commands are provided in the available resources, but general approaches include:

  • Use network packet capture tools (e.g., tcpdump, Wireshark) to filter HTTP POST requests to the Coolify Livewire endpoints and analyze the payload for unauthorized destination_id values.
  • Review application logs for cloning or moving operations and verify that the destination resource belongs to the same team as the user performing the action.
  • Audit database queries or logs for cloning/moving operations that cross team boundaries.
Mitigation Strategies

The immediate mitigation step is to upgrade Coolify to version 4.0.0-beta.464 or later, where this vulnerability is fixed.

This update enforces team-based access control in the cloneTo() and moveTo() functions, ensuring that destination resources belong to the user's team before allowing cloning or moving operations.

Additionally, the update includes policy fixes in StandaloneDockerPolicy.php and SwarmDockerPolicy.php to properly validate user permissions based on team ownership.

If immediate upgrade is not possible, consider restricting access to the affected Livewire actions and closely monitoring for suspicious cloning or moving activities.

Compliance Impact

The vulnerability allows authenticated users to access and clone resources across tenant boundaries, leading to unauthorized access to data and infrastructure belonging to other teams.

Such unauthorized cross-tenant access can result in breaches of confidentiality and integrity of data, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Specifically, the failure to enforce proper team-based access control could lead to exposure of sensitive personal or health information managed within the affected systems, thereby violating data protection and privacy obligations.

Remediation of this vulnerability by enforcing team validation and proper authorization helps maintain compliance by ensuring tenant isolation and preventing unauthorized data access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34037. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart