CVE-2026-34167 in Coolify
Summary
by MITRE • 07/06/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire's #[Locked] attribute. It loads activities via Activity::find($this->activityId) with no authorization or team scoping. Activity IDs are auto-incrementing integers. Any authenticated user can enumerate activity records across all teams and read the full command output from remote SSH processes, which may include secrets, configuration files, and infrastructure details. This issue is fixed in version 4.0.0-beta.471.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability identified in Coolify versions prior to 4.0.0-beta.471 represents a critical access control flaw that undermines the security boundaries of multi-tenant environments. The ActivityMonitor Livewire component exposes a public $activityId property without proper protection mechanisms, creating an unintended attack surface that allows authenticated users to bypass normal authorization checks. This design flaw directly violates fundamental security principles of least privilege and proper access control, as the absence of the #[Locked] attribute on the Livewire property enables arbitrary manipulation of the activity identifier parameter. The vulnerability stems from a lack of input validation and authorization enforcement within the component's data loading mechanism.
The technical implementation of this flaw manifests through the Activity::find($this->activityId) method call which retrieves activity records without verifying whether the authenticated user has proper authorization to access the specific activity record. Since activity IDs are auto-incrementing integers, attackers can systematically enumerate valid activity identifiers across different teams and organizations, effectively enabling cross-tenant data leakage. This enumeration capability represents a classic privilege escalation vector that allows unauthorized users to access sensitive information from other teams' activities, including full command output from remote SSH processes. The exposed command outputs may contain secrets, configuration files, and infrastructure details that could be leveraged for further attacks or reconnaissance activities.
The operational impact of this vulnerability extends beyond simple data leakage, as it creates a persistent security risk for organizations using Coolify in multi-tenant environments. Attackers can exploit this flaw to gain unauthorized access to sensitive operational data, potentially exposing system configurations, deployment credentials, and infrastructure details that could be used for lateral movement or privilege escalation within the target environment. The vulnerability affects all authenticated users regardless of their team affiliation or role permissions, making it particularly dangerous in shared hosting scenarios where multiple organizations rely on the same Coolify instance. This flaw undermines the integrity of the application's security model and could lead to significant data breaches or compliance violations.
The remediation for this vulnerability requires implementing proper authorization checks and team scoping mechanisms before loading activity records. The fix in version 4.0.0-beta.471 addresses this issue by ensuring that each activity record is properly validated against the authenticated user's team membership and access permissions. This approach aligns with CWE-285, which addresses improper authorization issues in software systems, and follows ATT&CK technique T1078 for valid accounts and privilege escalation. Organizations should implement comprehensive access control policies that enforce proper authorization before any data retrieval operations occur, ensuring that activity records are scoped to the appropriate team context and that users cannot enumerate or access activities belonging to other teams. The implementation of proper input validation, authorization checks, and team scoping mechanisms represents essential security controls that prevent unauthorized data access in multi-tenant applications.