Cross-Team Resource Deployment Vulnerability in Coolify by Coollabs
CVE-2026-57498

9.6CRITICAL

Key Information:

Vendor: Coollabsio
Status: Coolify
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-57498?

Coolify, an open-source and self-hostable server management tool, has a vulnerability in its API that allows for cross-team resource deployment. Before version 4.0.0-beta.474, the API improperly validates team ownership when handling requests via Livewire web UI components. This oversight enables users to manipulate server_id and destination_uuid parameters from URL query strings, allowing unauthorized access to resources belonging to different teams. The issue has been addressed in the latest release, ensuring that proper ownership validation is enforced.

Affected Version(s)

coolify < 4.0.0-beta.474

References

https://github.com/coollabsio/coolify/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 24, 2026

CVE-2026-57498 Data

JSON

Coollabsio

What is CVE-2026-57498?

Affected Version(s)

References

CVSS V3.1

Timeline