CVE-2026-34037: Critical Improper Authorization in Coolify
| Field | Value |
|---|---|
| CVE ID | CVE-2026-34037 |
| CVSS score | 9.9 (Critical) |
| Attack vector | Authenticated user action |
| Auth required | Yes |
| Patch status | Fixed in 4.0.0-beta.464 |
TL;DR - Coolify before
4.0.0-beta.464lets authenticated users clone resources into other teams’ destinations. - Multi-tenant Coolify deployments are affected most. - Patch urgently to4.0.0-beta.464or later and review clone activity.
Vulnerability at a glance
CVE-2026-34037 is a critical improper authorization flaw in Coolify, the open-source self-hosted platform used to manage servers, applications, and databases. According to the NVD description, the issue affects Coolify versions prior to 4.0.0-beta.464. The vulnerable code path is the cloneTo() Livewire action in ResourceOperations.php, where authorization is enforced on the source resource but destination resources are resolved using unscoped Eloquent lookups.
In practical terms, this is a multi-tenant isolation failure. An authenticated user who is allowed to operate on a resource they own may be able to clone that resource into a destination owned by another team. That can lead to cross-tenant resource access and unauthorized operations across administrative boundaries. Even without anonymous access or remote code execution, this is still operationally severe because many teams deploy Coolify specifically to segment environments, projects, or customers.
What is this vulnerability?
The root cause is not a generic “permission bug” but a specific authorization design failure. The application checks whether the user is authorized to act on the resource they are cloning from, but it does not properly scope the destination lookup to the same tenant or team. That means the trust boundary is enforced on one side of the workflow and silently bypassed on the other.
For defenders, that matters because the exploit path may blend into legitimate usage. Resource cloning is a normal administrative action in many platform management tools. When a bug exists in the destination resolution logic rather than the initial access check, suspicious activity may look like routine workflow noise unless you specifically validate whether the source and destination team ownership should match. In environments with multiple internal teams, contractors, or customer tenants on one Coolify instance, this raises the risk of unauthorized lateral access through the management plane.
Who is affected?
The affected version range currently documented is all Coolify versions before 4.0.0-beta.464. The fixed release is explicitly identified as 4.0.0-beta.464. If you are running any earlier build in the 4.0.0 beta line, you should assume you are vulnerable unless you have independently verified that the specific fix from commit 1759a1631cd63271ebf6caa250c6d93440eaa333 has been backported into your deployment.
This issue is most significant for shared Coolify instances where multiple teams, business units, clients, or less-trusted authenticated users coexist. A single-team lab instance may face lower practical exposure because the tenant boundary is less meaningful there. However, if you use Coolify to separate staging, production, client environments, or delegated admin functions, you should treat the vulnerability as a direct failure of administrative isolation. Where version inventory is incomplete, defenders should assume exposure until they confirm the running version is 4.0.0-beta.464 or later.
Severity and risk context
NVD assigns this flaw a CVSS score of 9.9, which places it in the critical tier. The exact CVSS vector was not available in the source material provided here, so it would be inappropriate to infer the sub-metrics. Still, the score alone indicates that the impact of the authorization failure is considered severe.
Why such a high score for an authenticated bug? Because this is not merely a low-impact privilege confusion issue. It affects tenant isolation in a control-plane product that manages infrastructure and application resources. If an authenticated user can cross team boundaries, the outcome may include unauthorized deployments, data exposure, infrastructure misplacement, or use of another team’s destinations. In the absence of public exploit telemetry, defenders should assume the bug is high-value for insider abuse, compromised accounts, and low-privilege footholds on shared Coolify instances.
Exploitation status
As of the available primary-source references, there is no confirmed evidence of in-the-wild exploitation for CVE-2026-34037. The CVE is not listed in CISA’s Known Exploited Vulnerabilities catalog, which is one useful indicator, though not definitive proof that exploitation has not occurred. Absence from KEV should reduce panic, not urgency.
There is also no verified public proof of concept (PoC) identified in the source material used for this article. That said, the public NVD description, the fix commit reference, and the release information provide enough detail for a capable attacker or researcher to understand the general flaw class. Defenders should not rely on “no public PoC” as a mitigation. For an authorization bug in a visible codebase, patch availability often accelerates reverse engineering of the vulnerable path.
Technical deep dive
The available technical description points directly to a code-level authorization gap in cloneTo() within ResourceOperations.php. The vulnerable behavior arises when source authorization is checked correctly, but destination resources are fetched using unscoped Eloquent queries. In Laravel terms, that usually means the destination resolution path does not enforce team ownership constraints before the clone is allowed to proceed.
This pattern is common in multi-tenant failures: an operation that involves two objects validates access to the first object but trusts user-supplied or weakly validated identifiers for the second. Security reviews often catch “can the user access resource A?” but miss “can the user bind resource A to resource B across a tenant boundary?” For platform teams, this CVE is a reminder to test all cross-object workflows for authorization on every referenced object, not only the object that initiates the action.
Technical Notes
Primary references for root-cause validation:
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34037
- Fix commit: https://github.com/coollabsio/coolify/commit/1759a1631cd63271ebf6caa250c6d93440eaa333
- Patched release: https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.464
- GitHub Security Advisory: https://github.com/coollabsio/coolify/security/advisories/GHSA-ggrr-wrvr-x83v
Defender validation checklist after patching:
1. Confirm running version is 4.0.0-beta.464 or later.
2. Review user roles with clone permissions.
3. Test clone operations across teams with a non-admin account.
4. Verify the app denies cross-team destination selection.
5. Add logging for source_team_id and destination_team_id in clone actions.
How to detect it
Detection is challenging because this vulnerability abuses a legitimate feature: cloning resources. Start by identifying every Coolify instance and confirming its exact running version. Then review audit trails, application logs, reverse proxy logs, and team ownership metadata for clone operations where the source resource owner and destination owner do not match expected tenancy rules.
You should also investigate unexpected resource appearances in another team’s destination, unexplained application duplication, or support tickets involving “mystery” cloned resources. Because the published description names the cloneTo() action, detections should focus on workflow events associated with clone operations, especially from standard user accounts rather than central administrators. If your logging is incomplete, assume potential historical blind spots and prioritize upgrading before relying on retrospective detection.
Technical Notes
Because official vendor log syntax was not provided in the source material, defenders should adapt the following patterns to their stack. The goal is to find clone-related operations crossing team boundaries.
Example grep pattern for application or container logs:
grep -RniE 'cloneTo|clone.*destination|ResourceOperations' /var/log /opt/coolify 2>/dev/null
Example Docker log review if Coolify runs in containers:
docker ps --format '{{.Names}}' | grep -i coolify
docker logs --since 30d <coolify-container-name> 2>&1 | grep -iE 'cloneTo|clone|destination|team'
Example reverse proxy search for clone workflow requests:
grep -RniE 'livewire|clone' /var/log/nginx /var/log/apache2 2>/dev/null
Hunt query logic to implement in SIEM:
Find requests or application events where:
- action name contains "clone" or "cloneTo"
- user_id is present
- source_team_id != destination_team_id
- user is not a platform-wide administrator
Generic suspicious log pattern to look for:
user=<id> action=cloneTo source_resource=<id> source_team=<teamA> destination=<id> destination_team=<teamB>
If your current logs do not capture both source and destination ownership, that gap is itself important. Add telemetry after patching so future authorization regressions are easier to detect.
Mitigation and patching
The primary remediation is straightforward: upgrade Coolify to 4.0.0-beta.464 or later. That is the first fixed version explicitly named in the NVD entry. If you manage multiple instances, prioritize any deployment that serves more than one team or contains less-trusted user accounts. In most organizations, this should be treated as an expedited patch rather than a routine maintenance item.
If you cannot patch immediately, your goal is to reduce exploitability by narrowing who can perform clone operations and who can log in. Since the bug requires authentication, temporarily restricting access can materially reduce risk. Consider limiting Coolify access to trusted administrators only, disabling or pausing delegated team usage if operationally feasible, and reviewing role assignments for accounts that do not need resource cloning capabilities. These are temporary controls, not fixes, because the authorization flaw exists in application logic.
Technical Notes
Where exact deployment commands differ, use your local install method. The source material confirms the fixed release version, but not a single canonical upgrade command for every environment. The commands below are examples defenders can adapt based on how they deployed Coolify.
If you deploy Coolify with Docker Compose, pull the fixed release and restart:
docker compose pull
docker compose up -d
If your compose file pins an image tag, update it to v4.0.0-beta.464 or later before restarting. For example:
services:
coolify:
image: ghcr.io/coollabsio/coolify:v4.0.0-beta.464
Then apply:
docker compose up -d
If you need to verify the running image version after restart:
docker ps --format 'table {{.Names}} {{.Image}}' | grep -i coolify
Short-term workaround if immediate upgrade is blocked: - Restrict Coolify login to trusted admins only. - Remove or disable accounts for external collaborators or low-trust users. - Temporarily suspend clone-related workflows if your operations allow it. - Enforce network access restrictions to the Coolify UI through VPN, IP allowlists, or an identity-aware proxy.
In the absence of vendor-published workaround guidance beyond upgrading, defenders should assume no complete safe workaround exists. Compensating controls help reduce exposure but do not correct the flawed authorization path.
References
The most reliable sources for this CVE are the official and primary references already tied to the NVD record. Defenders should prefer these over third-party summaries when validating affected versions, patch status, and remediation steps.
Use the following references for incident response notes, vulnerability management tickets, and change-control evidence:
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34037
- Official fix commit: https://github.com/coollabsio/coolify/commit/1759a1631cd63271ebf6caa250c6d93440eaa333
- Official patched release: https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.464
- Official GitHub security advisory: https://github.com/coollabsio/coolify/security/advisories/GHSA-ggrr-wrvr-x83v
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
If some operational detail is still unknown in your environment, the safe assumption is simple: any Coolify version before 4.0.0-beta.464 on a shared instance should be treated as exposed until patched and reviewed.
For further security measures, consider exploring resources on cloud security and understanding buffer overflow vulnerabilities.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.