CVE Catalog

CVE-2026-27881

MediumCVSS 5.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile — higher than 6% of all known CVEs

Summary

Coolify prior to version 4.0.0-beta.464 has a vulnerability in the `GET /api/v1/deployments/{uuid}` endpoint that does not validate whether the deployment belongs to the authenticated user's team. Any authenticated API user can read deployment details from other teams by providing a valid deployment UUID.

Risk Assessment

The risk involves unauthorized access to sensitive deployment data of other teams, potentially leading to disclosure of application, database, or server configuration information.

Recommendation

Immediately update Coolify to version 4.0.0-beta.464 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/deployments/{uuid}` in DeployController.php retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any authenticated API user can read deployment records from other teams by providing a valid deployment UUID. This vulnerability is fixed in 4.0.0-beta.464.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS