Executive Summary
A critical insecure direct object reference (IDOR) vulnerability has been identified in Coolify, the popular open-source self-hostable platform for managing servers, applications, and databases. Tracked as CVE-2026-34037 with a CVSS score of 9.9, the flaw exists in the cloneTo() Livewire action within ResourceOperations.php. The vulnerability allows an authenticated user to clone source resources they are authorized for, but resolve destination resources using unscoped Eloquent lookups — effectively crossing team authorization boundaries and taking over resources belonging to other teams.
The issue is fixed in Coolify 4.0.0-beta.464.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-34037 |
| CVSS Score | 9.9 (Critical) |
| Type | Insecure Direct Object Reference (IDOR) |
| Component | ResourceOperations.php — cloneTo() Livewire action |
| Authentication | Required (any authenticated user) |
| Scope | Cross-team resource access and takeover |
| Fixed In | Coolify 4.0.0-beta.464 |
Technical Details
Root Cause
The cloneTo() action in ResourceOperations.php performs a two-step authorization check:
- Source resource: properly authorized against the requesting user's team
- Destination resource: resolved with an unscoped Eloquent model lookup — no team boundary check
Because the destination lookup does not enforce team-scoped access control, an authenticated attacker can supply a destination resource ID belonging to any team. The clone operation then executes with the permissions of the destination resource, granting the attacker effective ownership or control over it.
Impact
An authenticated user in any team can:
- Clone their own authorized resources into resources belonging to other teams
- Overwrite or corrupt configurations of resources they should not have access to
- Potentially escalate to control of server-level resources managed by other teams on the same Coolify instance
This is especially impactful in multi-tenant Coolify deployments — hosting providers or organizations running Coolify for multiple customers/teams on shared infrastructure.
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Coolify | < 4.0.0-beta.464 | 4.0.0-beta.464+ |
Remediation
Immediate Action
Upgrade Coolify to version 4.0.0-beta.464 or later.
# Update Coolify via the built-in update mechanism
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bashOr update via the Coolify dashboard: Settings → Update.
If Immediate Patching Is Not Possible
- Restrict to single-team usage: If your Coolify instance is single-team only, the cross-team risk is limited — but upgrade as soon as possible.
- Audit clone activity: Review Coolify logs for unexpected
cloneToactions across team boundaries. - Limit user access: Remove untrusted users from your Coolify instance until the patch is applied.
- Network-isolate the instance: Ensure Coolify is not publicly internet-accessible without strong authentication.
Risk Context
Coolify is widely used by self-hosters and small hosting providers as a lightweight alternative to commercial PaaS platforms. A CVSS 9.9 IDOR in a multi-tenant capable platform is particularly dangerous because:
- Blast radius scales with tenant count: More teams = more resources available for cross-team takeover
- Self-hosters may not patch promptly: Beta versioning may lead administrators to delay updates
- No network-level mitigation: The vulnerability is exploitable by any authenticated user with no network position required