A critical authorization bypass in Coolify allows attackers to perform cross-team resource deployments by exploiting missing ownership validation in web UI components.

The vulnerability stems from a failure in Livewire components to validate server_id and destination_uuid parameters against the authenticated user's team ID. Unlike the backend API controllers, the UI components do not perform the necessary authorization checks, allowing authenticated users to manipulate resources belonging to other teams.

Successful exploitation allows unauthorized users to modify or deploy resources across different team environments, breaking multi-tenancy isolation. With a CVSS score of 9.6, this vulnerability poses a severe risk to the integrity and confidentiality of self-hosted infrastructure, potentially allowing lateral movement within the Coolify ecosystem.

Immediate Action: Upgrade to Coolify version 4.0.0-beta.474 or later to ensure all UI components correctly enforce server and destination ownership.

Proactive Monitoring: Inspect deployment logs for any unauthorized resource creation or changes that do not align with current team assignments.

Compensating Controls: Restrict access to the Coolify administrative dashboard to trusted internal networks and audit user permissions to ensure the principle of least privilege.

Public Exploit Available: Unknown

Organizations using Coolify in multi-tenant or multi-team environments must apply the provided update immediately. Failure to patch allows for significant unauthorized control over the server and application management lifecycle.