CVE-2026-34037
CRITICALCross-Tenant Resource Cloning via Broken Object-Level Authorization in cloneTo()
Title source: cnaDescription
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an authenticated user to clone resources into destinations owned by other teams and access cross-tenant resources. This issue is fixed in version 4.0.0-beta.464.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/coollabsio/coolify/security/advisories/GHSA-ggrr-wrvr-x83v
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/commit/1759a1631cd63271ebf6caa250c6d93440eaa333
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.464
Scores
CVSS v3
9.9
EPSS
0.0025
EPSS Percentile
15.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (1)
coollabsio/coolify
< 4.0.0-beta.464
Published
Jul 07, 2026
Tracked Since
Jul 07, 2026