PT-2026-56128 · Coolify · Coolify

Published

2026-07-07

·

Updated

2026-07-07

·

CVE-2026-34037

CVSS v3.1

9.9

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.464
Description An authenticated user can clone resources into destinations owned by other teams and access cross-tenant resources. This occurs because the cloneTo() Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources using unscoped Eloquent lookups, which are database queries that do not apply the necessary ownership or tenant restrictions.
Recommendations Update to version 4.0.0-beta.464.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-34037

Affected Products

Coolify