Authorization Bypass in Coolify by Coollabsio
CVE-2026-27883

5MEDIUM

Key Information:

Vendor: Coollabsio
Status: Coolify
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-27883?

Coolify, an open-source tool for managing servers, applications, and databases, has a vulnerability that allows authenticated users to access deployment details across different teams. This occurs because the GET /api/v1/deployments/{uuid} endpoint fails to properly enforce team-based authorization, as the $teamId is drawn from the authentication token but not utilized to limit database queries. This oversight creates potential security risks and unauthorized data exposure, which has been rectified in version 4.0.0-beta.464.

Affected Version(s)

coolify < 4.0.0-beta.464

References

https://github.com/coollabsio/coolify/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Feb 24, 2026

CVE-2026-27883 Data

JSON