External risk intelligence

Coolify Cross-Tenant Resource Access Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-34037

Coolify is a self-hosted management platform for servers and applications. Such tools are typically deployed as internet-facing or edge-reachable management consoles to facilitate remote administration of infrastructure, making the web interface commonly accessible via the internet.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Coolify, a tool used for managing servers, applications, and databases. The issue allows authenticated users to potentially access resources belonging to other teams, which could lead to unauthorized data exposure and modification. The main concern is confirming relevance and exposure within our environment.

  • Unauthorized access to other teams' resources.
  • Could expose sensitive cross-tenant data.
  • Confirm if Coolify is in use.

Attack Path

How an attacker could exploit the issue

An authenticated user could exploit this vulnerability by cloning resources to unintended destinations. This occurs because the system improperly checks where resources can be cloned, allowing an attacker to bypass tenant restrictions and access or modify data belonging to other users or teams, potentially leading to significant data breaches or disruptions.

  • Requires authenticated user access.
  • Clone action improperly resolves destination resources.
  • Cross-tenant resource access and modification.

Live Threat

Current exploitation, exposure, and threat context

An authenticated user could clone resources into destinations owned by other teams, potentially granting unauthorized access to cross-tenant data. This could occur when the `cloneTo()` action in ResourceOperations.php resolves destination resources using unscoped Eloquent lookups, bypassing intended access controls.

  • Cross-tenant resource data.
  • Unscoped lookups when cloning resources.
  • Unauthorized access to other teams' data.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Coolify platform's administration and application owners are likely responsible for addressing this vulnerability. The first critical step is to identify all instances of Coolify within the environment, determine their exposure and business criticality, and then confirm the accountable owner for each instance to plan remediation.

  • Identify Coolify instances and owners.
  • Verify resource access and scope.
  • Plan and coordinate updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Coolify?

Coolify is an open-source, self-hosted platform designed to streamline server, application, and database management. It acts as a centralized dashboard where developers and administrators configure and deploy their infrastructure services. Because it handles sensitive operational data, it functions similarly to other specialized control plane software used to manage interconnected technical resources.

What is the vulnerability in CVE-2026-34037?

This vulnerability is an Authorization Bypass, specifically classified as CWE-639 (Authorization Bypass Through User-Controlled Key). It occurs because the software fails to properly verify if a user has permission to access a specific destination resource during a cloning operation. Instead of ensuring the destination belongs to the user, the system resolves it using an unscoped lookup, effectively ignoring organizational boundaries.

How does an attacker trigger this CVE-2026-34037 flaw?

An attacker must have an existing authenticated account within the Coolify instance to initiate the problematic cloneTo() action. The vulnerability is triggered when the system attempts to clone a resource without validating the destination's ownership. Importantly, simply having a user account does not automatically expose your own data; the issue only manifests if an authenticated user specifically invokes the cloning function toward an unauthorized target.

Why should I care about this flaw if I use Coolify?

According to Halo Surface Signal, Coolify is often deployed as an internet-facing management console to enable remote administration. Because this tool acts as a bridge to your infrastructure, this vulnerability is particularly relevant if your instance is reachable over the network. If an unauthorized user gains access, they could potentially cross tenant boundaries to view, interact with, or modify resources belonging to other teams.

How do I respond to this threat?

The most effective first step is to upgrade your Coolify installation to version 4.0.0-beta.464 or later, which resolves the unscoped lookup issue. Simultaneously, you should audit your current environment to locate all running instances, confirm who is responsible for each deployment, and ensure that access controls are strictly configured for all users until the update is applied.

References