CVE-2026-34044 in Coolify
Summary
by MITRE • 07/07/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the Logs::mount() component looks up resources by UUID without scoping the lookup to the current team, allowing an authenticated user to access logs for applications owned by other teams by supplying a victim resource UUID. This issue is fixed in version 4.0.0-beta.466.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability identified in Coolify versions prior to 4.0.0-beta.466 represents a critical access control flaw that undermines the security boundaries between different teams within the application. This issue specifically affects the Logs::mount() component which is responsible for retrieving and displaying log data from various resources within the system. The flaw stems from an insufficient implementation of resource scoping during UUID-based lookups, creating a path for unauthorized information disclosure.
The technical implementation of this vulnerability demonstrates a classic case of insufficient access control or improper privilege management where the system fails to verify that the authenticated user has legitimate authorization to access the requested resource. When a user attempts to retrieve logs for a specific application, the system performs a lookup using the provided UUID without validating whether the requesting user belongs to the same team that owns the target resource. This design flaw directly violates the principle of least privilege and creates a cross-tenant data exposure scenario.
From an operational perspective, this vulnerability allows an authenticated attacker to gain unauthorized access to sensitive log information belonging to other teams within the same Coolify instance. The impact extends beyond simple information disclosure as log files often contain critical operational data, system configurations, application behavior patterns, and potentially sensitive environmental variables or credentials that could be exposed through log content. This cross-tenant access breach can lead to significant security implications including potential reconnaissance for further attacks, exposure of internal system architecture details, and compromise of other team's operational integrity.
The vulnerability maps directly to CWE-284 which describes improper access control scenarios where a system fails to properly enforce access restrictions on resources. Additionally, this issue aligns with ATT&CK technique T1565.001 which covers "Data Manipulation" through unauthorized access to system resources. The flaw represents a failure in the application's authorization model and demonstrates how seemingly simple lookup operations can create substantial security risks when proper validation checks are omitted.
Organizations using Coolify versions prior to 4.0.0-beta.466 should immediately implement mitigations including updating to the patched version, implementing additional access control layers at the network level, and conducting thorough audits of existing log data to identify potential exposure windows. The fix implemented in version 4.0.0-beta.466 addresses this by introducing proper team scoping during UUID lookups, ensuring that resource access is constrained to the authenticated user's organizational boundaries. Security teams should also consider implementing monitoring for unauthorized access patterns and establishing more robust audit logging to detect similar issues in other components of their infrastructure.