๐Ÿ” CVE Alert

CVE-2026-34044

HIGH 7.7

Coolify: Cross-team IDOR in logs component (resource lookup not team-scoped)

CVSS Score
7.7
EPSS Score
0.2%
EPSS Percentile
15th

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the Logs::mount() component looks up resources by UUID without scoping the lookup to the current team, allowing an authenticated user to access logs for applications owned by other teams by supplying a victim resource UUID. This issue is fixed in version 4.0.0-beta.466.

CWE CWE-639
Vendor coollabsio
Product coolify
Published Jul 7, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for coollabsio coolify

Be the first to know when new high vulnerabilities affecting coollabsio coolify are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

coollabsio / coolify
< 4.0.0-beta.466

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/coollabsio/coolify/security/advisories/GHSA-565g-9j4m-wqmr github.com: https://github.com/coollabsio/coolify/commit/6fbb5e626a82c576ae7a1a08b4e1d16aee2e82ed github.com: https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.466