External risk intelligence

Coolify Server Ownership Validation Bypass Allows Cross-Team Deployment

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-57498

Coolify is a self-hosted platform used to manage servers, applications, and databases. Because it acts as an interface for managing external-facing infrastructure and applications, it is commonly deployed as a web-accessible management surface, making its web UI components typically reachable from the internet.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in Coolify, an open-source tool used for managing servers, applications, and databases. The issue allows unauthorized access and deployment of resources across different teams due to a lack of ownership validation in certain web interface components. This could potentially lead to the misuse or compromise of managed systems.

  • Insecure web components allow unauthorized resource deployment.
  • Critical flaw could enable cross-team system access.
  • Confirm relevance and potential exposure within your environment.

Attack Path

How an attacker could exploit the issue

An attacker with low privileges could target a Coolify instance by crafting a malicious URL. This URL would leverage specific web UI components that fail to validate team ownership of server IDs found in URL parameters. By manipulating these parameters, an attacker could deploy resources to servers they do not own, potentially leading to unauthorized access and control over other teams' infrastructure.

  • Requires low-privilege access.
  • Triggers via crafted URL parameters.
  • Allows cross-team resource deployment.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, unauthorized users could deploy resources to servers not associated with their team. This could allow them to deploy applications or services onto infrastructure they do not own or manage, potentially impacting the availability or integrity of those systems.

  • Server resources and deployed applications.
  • Via crafted URL parameters in the web UI.
  • Unauthorized resource deployment on shared infrastructure.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Coolify platform's API controllers require server ownership validation, but certain Livewire web UI components do not enforce this, potentially allowing unauthorized cross-team deployments. Infrastructure and platform teams are likely responsible for Coolify deployments. The first practical move is to identify all Coolify instances, confirm their exposure and business criticality, and then plan remediation based on risk.

  • Platform/Infrastructure teams own this issue.
  • Verify server ownership validation in UI.
  • Plan cross-team deployment remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Coolify?

Coolify is an open-source, self-hostable platform designed to simplify the management of servers, applications, and databases. Users typically deploy it to centralize infrastructure operations, allowing teams to organize and automate the deployment of various services through a single web-based interface.

What is the vulnerability in CVE-2026-57498?

This vulnerability is an authorization weakness categorized as CWE-639 and CWE-862. Essentially, while the underlying API correctly checks which team owns a server, specific web UI components fail to perform this check. This oversight allows a user to interact with or deploy resources to servers belonging to other teams that they should not have access to.

How is this vulnerability triggered?

An attacker triggers this flaw by manipulating specific URL parameters, such as 'server_id' or 'destination_uuid', within the web interface. Simply visiting the platform does not trigger the bug; the attacker must intentionally craft a request that bypasses standard ownership checks. If a user acts within the intended UI workflows without parameter manipulation, the bypass is not activated.

Is my Coolify instance at risk?

According to Halo Surface Signal, Coolify is often deployed as a web-accessible management surface, making its interface reachable from the internet. If your instance is exposed to the internet, it is more reachable by unauthorized users who might attempt to exploit these UI components. You should assess whether your instance is internet-facing or restricted to internal network access.

What should I do to address this issue?

The primary step is to update your Coolify installation to version 4.0.0-beta.474 or later, which includes the necessary fixes to enforce ownership validation. Infrastructure teams should prioritize identifying all instances of Coolify currently running in their environment to ensure this update is applied promptly across the board.

References