Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. Coolify CVE-2026-34037: CVSS 9.9 IDOR Enables Cross-Team Resource Takeover
Coolify CVE-2026-34037: CVSS 9.9 IDOR Enables Cross-Team Resource Takeover

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-34037

Coolify CVE-2026-34037: CVSS 9.9 IDOR Enables Cross-Team Resource Takeover

A critical IDOR vulnerability in Coolify's cloneTo() Livewire action allows authenticated users to clone and take over resources across team boundaries via unscoped Eloquent lookups.

Dylan H.

Security Team

July 7, 2026
3 min read

Affected Products

  • Coolify < 4.0.0-beta.464

Executive Summary

A critical insecure direct object reference (IDOR) vulnerability has been identified in Coolify, the popular open-source self-hostable platform for managing servers, applications, and databases. Tracked as CVE-2026-34037 with a CVSS score of 9.9, the flaw exists in the cloneTo() Livewire action within ResourceOperations.php. The vulnerability allows an authenticated user to clone source resources they are authorized for, but resolve destination resources using unscoped Eloquent lookups — effectively crossing team authorization boundaries and taking over resources belonging to other teams.

The issue is fixed in Coolify 4.0.0-beta.464.


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-34037
CVSS Score9.9 (Critical)
TypeInsecure Direct Object Reference (IDOR)
ComponentResourceOperations.php — cloneTo() Livewire action
AuthenticationRequired (any authenticated user)
ScopeCross-team resource access and takeover
Fixed InCoolify 4.0.0-beta.464

Technical Details

Root Cause

The cloneTo() action in ResourceOperations.php performs a two-step authorization check:

  1. Source resource: properly authorized against the requesting user's team
  2. Destination resource: resolved with an unscoped Eloquent model lookup — no team boundary check

Because the destination lookup does not enforce team-scoped access control, an authenticated attacker can supply a destination resource ID belonging to any team. The clone operation then executes with the permissions of the destination resource, granting the attacker effective ownership or control over it.

Impact

An authenticated user in any team can:

  • Clone their own authorized resources into resources belonging to other teams
  • Overwrite or corrupt configurations of resources they should not have access to
  • Potentially escalate to control of server-level resources managed by other teams on the same Coolify instance

This is especially impactful in multi-tenant Coolify deployments — hosting providers or organizations running Coolify for multiple customers/teams on shared infrastructure.


Affected Versions

ProductAffected VersionsFixed Version
Coolify< 4.0.0-beta.4644.0.0-beta.464+

Remediation

Immediate Action

Upgrade Coolify to version 4.0.0-beta.464 or later.

# Update Coolify via the built-in update mechanism
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash

Or update via the Coolify dashboard: Settings → Update.

If Immediate Patching Is Not Possible

  1. Restrict to single-team usage: If your Coolify instance is single-team only, the cross-team risk is limited — but upgrade as soon as possible.
  2. Audit clone activity: Review Coolify logs for unexpected cloneTo actions across team boundaries.
  3. Limit user access: Remove untrusted users from your Coolify instance until the patch is applied.
  4. Network-isolate the instance: Ensure Coolify is not publicly internet-accessible without strong authentication.

Risk Context

Coolify is widely used by self-hosters and small hosting providers as a lightweight alternative to commercial PaaS platforms. A CVSS 9.9 IDOR in a multi-tenant capable platform is particularly dangerous because:

  • Blast radius scales with tenant count: More teams = more resources available for cross-team takeover
  • Self-hosters may not patch promptly: Beta versioning may lead administrators to delay updates
  • No network-level mitigation: The vulnerability is exploitable by any authenticated user with no network position required

References

  • NVD — CVE-2026-34037
  • Coolify GitHub
#CVE-2026-34037#Coolify#IDOR#Privilege Escalation#Self-Hosted#Vulnerability

Related Articles

Coolify CVE-2026-34048: Low-Privilege Terminal Escalation via WebSocket (CVSS 9.9)

A critical privilege escalation flaw in Coolify's terminal WebSocket routes lets any low-privileged team member connect to privileged server terminals by bypassing terminal-level authorization checks.

4 min read

Coolify CVE-2026-34047: Terminal WebSocket Authorization Bypass (CVSS 9.9)

A critical authorization bypass in Coolify's terminal WebSocket bootstrap routes allows authenticated users to access server terminals for resources outside their team scope.

3 min read

CVE-2026-34038: Critical Coolify RCE via Authenticated Command Injection (CVSS 9.9)

A critical command injection vulnerability in Coolify's deployment pipeline allows any authenticated user with write access to execute arbitrary OS commands and exfiltrate all environment variables — including API keys and database credentials — on the host system.

5 min read
Back to all Security Alerts