Activity Monitoring Exposure in Coolify by CoolLabs
CVE-2026-34167
5MEDIUM
What is CVE-2026-34167?
The ActivityMonitor Livewire component in Coolify versions prior to 4.0.0-beta.471 allows authenticated users to access activity records across all teams. The public $activityId property lacks the necessary Livewire #[Locked] attribute, which leads to unauthorized loading of activities. This vulnerability enables users to enumerate activity IDs, potentially revealing sensitive command outputs from remote SSH processes, including secrets and configuration details. The issue has been addressed in subsequent releases.
Affected Version(s)
coolify < 4.0.0-beta.471
