CVE-2026-34167
MEDIUMCoolify: Cross-tenant activity log disclosure via unlocked Livewire property in ActivityMonitor
Title source: cnaDescription
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire's #[Locked] attribute. It loads activities via Activity::find($this->activityId) with no authorization or team scoping. Activity IDs are auto-incrementing integers. Any authenticated user can enumerate activity records across all teams and read the full command output from remote SSH processes, which may include secrets, configuration files, and infrastructure details. This issue is fixed in version 4.0.0-beta.471.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/coollabsio/coolify/security/advisories/GHSA-962v-gxmw-56hc
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/pull/9189
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/commit/2729dffb3e30167c1ffd642357b7e0bb99b7d180
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471
Scores
CVSS v3
5.0
EPSS
0.0020
EPSS Percentile
9.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Details
CWE
CWE-639
Status
published
Products (1)
coollabsio/coolify
< 4.0.0-beta.471
Published
Jul 06, 2026
Tracked Since
Jul 07, 2026