CVE-2026-34037

coollabsio · coolify

An authorization bypass vulnerability in Coolify allows authenticated users to access and manipulate resources belonging to other tenants.

Executive summary

An authorization flaw in Coolify allows authenticated users to bypass tenant isolation and clone resources into unauthorized cross-tenant environments.

Vulnerability

The vulnerability exists in the cloneTo() Livewire action, which performs unscoped Eloquent lookups for destination resources. An authenticated user can leverage this to clone resources into destinations owned by other teams, effectively bypassing cross-tenant access controls.

Business impact

This flaw breaks the fundamental multi-tenancy isolation of the Coolify platform. An attacker could gain unauthorized access to sensitive application or database configurations, leading to cross-tenant data exposure and potential privilege escalation within the management console. With a CVSS score of 9.9, this vulnerability represents a severe breach of trust and data integrity for any organization managing multiple teams or clients on a single instance.

Remediation

Immediate Action: Upgrade Coolify to version 4.0.0-beta.464 or later to enforce proper scoping in resource operations.

Proactive Monitoring: Audit recent resource cloning activities and team access logs to identify any unauthorized cross-tenant resource movement.

Compensating Controls: Limit access to the Coolify management interface to trusted users only and implement strict internal network access controls until the patch is applied.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Given the high impact on data confidentiality and integrity, administrators should update their Coolify instance immediately. Following the update, an audit of current resource permissions is recommended to ensure no unauthorized cross-tenant actions occurred prior to the fix.