CVE-2026-34167
Received Received - Intake

Activity ID Enumeration Leak in Coolify

Vulnerability report for CVE-2026-34167, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire's #[Locked] attribute. It loads activities via Activity::find($this->activityId) with no authorization or team scoping. Activity IDs are auto-incrementing integers. Any authenticated user can enumerate activity records across all teams and read the full command output from remote SSH processes, which may include secrets, configuration files, and infrastructure details. This issue is fixed in version 4.0.0-beta.471.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coolify activitymonitor to 4.0.0-beta.471 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in Coolify versions prior to 4.0.0-beta.471 within the ActivityMonitor Livewire component. Specifically, a public property called $activityId is exposed without proper access restrictions (missing the #[Locked] attribute). This property is used to load activity records by their ID without any authorization or team scoping checks.

Because activity IDs are simple auto-incrementing integers, any authenticated user can enumerate these IDs and access activity records belonging to all teams. This allows them to read the full command output from remote SSH processes, which may contain sensitive information such as secrets, configuration files, and infrastructure details.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information. An attacker with any authenticated access can enumerate and view activity logs from other teams, potentially exposing secrets, configuration files, and infrastructure details.

Such exposure can compromise the security of your infrastructure, lead to data breaches, and allow attackers to gain further access or cause damage by leveraging the leaked information.

Mitigation Strategies

To mitigate this vulnerability, upgrade Coolify to version 4.0.0-beta.471 or later, where the issue is fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34167. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart