CVE-2026-34037 in Coolify
Summary
by MITRE • 07/07/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an authenticated user to clone resources into destinations owned by other teams and access cross-tenant resources. This issue is fixed in version 4.0.0-beta.464.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability identified in Coolify versions prior to 4.0.0-beta.464 represents a critical authorization bypass flaw that undermines the application's multi-tenancy security model. This weakness exists within the cloneTo() Livewire action located in the ResourceOperations.php file, where the system properly validates the source resource ownership but fails to enforce proper access controls on destination resources. The flaw stems from unscoped Eloquent lookups that resolve destination resources without considering tenant isolation boundaries, creating a pathway for authenticated users to manipulate resources across different team environments.
The technical implementation of this vulnerability exploits the principle of least privilege by allowing unauthorized cross-tenant resource operations through what appears to be a legitimate cloning function. When an authenticated user invokes the cloneTo() action, the system authorizes access to the source resource based on the current user's permissions but then uses unconstrained database queries to locate destination resources. This design flaw enables attackers to specify any destination team or project when cloning resources, effectively bypassing the intended tenant boundaries that should prevent users from accessing or modifying resources belonging to other teams.
The operational impact of this vulnerability extends beyond simple data access violations, as it creates potential for severe security breaches within multi-tenant environments where isolation is paramount. Attackers could leverage this flaw to clone sensitive configuration files, database credentials, or application settings into other teams' environments, potentially leading to data leakage, service disruption, or unauthorized access to production systems. The vulnerability also presents a significant risk for privilege escalation scenarios where users might clone resources containing administrative capabilities or sensitive infrastructure configurations.
This security weakness aligns with CWE-284 (Improper Access Control) and represents a classic example of insufficient authorization checking in multi-tenant applications. The vulnerability demonstrates how seemingly benign functionality can introduce critical security gaps when proper access control mechanisms are not consistently applied throughout the application's resource resolution process. From an adversary perspective, this flaw maps to ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) and T1566.002 (Phishing: Spearphishing Attachments), as it allows for unauthorized access to resources that should remain isolated between tenant environments.
The fix implemented in version 4.0.0-beta.464 addresses this vulnerability by ensuring that destination resource lookups are properly scoped to the authenticated user's team context, thereby maintaining the isolation boundaries that protect multi-tenant deployments. Organizations using Coolify should immediately upgrade to the patched version and conduct thorough security reviews of their deployment configurations to ensure proper tenant isolation remains intact. Additional mitigations may include implementing comprehensive logging of cloning operations and monitoring for unusual resource movement patterns between tenant environments.
The vulnerability highlights the critical importance of consistent authorization enforcement throughout application logic, particularly in multi-tenant architectures where boundary violations can have cascading security implications. Security teams should implement regular code reviews focusing on resource resolution patterns and access control implementation to prevent similar issues from emerging in other application components. This case underscores why automated security testing and proper threat modeling are essential practices for maintaining secure multi-tenant software deployments.