Activity Monitoring Exposure in Coolify by CoolLabs
CVE-2026-34167

5MEDIUM

Key Information:

Vendor

Coollabsio

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-34167?

The ActivityMonitor Livewire component in Coolify versions prior to 4.0.0-beta.471 allows authenticated users to access activity records across all teams. The public $activityId property lacks the necessary Livewire #[Locked] attribute, which leads to unauthorized loading of activities. This vulnerability enables users to enumerate activity IDs, potentially revealing sensitive command outputs from remote SSH processes, including secrets and configuration details. The issue has been addressed in subsequent releases.

Affected Version(s)

coolify < 4.0.0-beta.471

References

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.