CVE-2026-27881 Overview
Coolify is an open-source, self-hostable platform for managing servers, applications, and databases. CVE-2026-27881 is a broken access control vulnerability [CWE-639] in the deployment API endpoint. The GET /api/v1/deployments/{uuid} route in DeployController.php retrieves deployment details without verifying that the requested deployment belongs to the authenticated user's team. Any authenticated API user can read deployment records belonging to other teams by supplying a valid deployment UUID. The issue affects Coolify versions prior to 4.0.0-beta.464 and is fixed in that release.
Critical Impact
Authenticated tenants can enumerate and read deployment metadata across team boundaries, leading to cross-tenant information disclosure in multi-team Coolify instances.
Affected Products
- Coolify versions prior to 4.0.0-beta.464
- Self-hosted Coolify instances exposing the /api/v1/deployments/{uuid} endpoint
- Multi-team Coolify deployments with more than one tenant issuing API tokens
Discovery Timeline
- 2026-06-30 - CVE-2026-27881 published to NVD
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-27881
Vulnerability Analysis
The flaw is a classic Insecure Direct Object Reference (IDOR) in the Coolify REST API. The GET /api/v1/deployments/{uuid} handler in DeployController.php performs authentication but skips the tenant authorization check. Once a user presents a valid API token, the controller loads the deployment identified by the supplied UUID and returns its details, regardless of which team owns that deployment. Coolify organizes resources by team, so this missing check breaks the isolation model between tenants sharing the same instance. Exposed data can include build metadata, deployment status, commit references, and other operational details tied to another team's applications.
Root Cause
The controller resolves a deployment by UUID without applying a team ownership filter or authorization policy. There is no where('team_id', $user->currentTeam->id) scoping or equivalent policy gate before the record is returned. This aligns with [CWE-639] Authorization Bypass Through User-Controlled Key: the object identifier is trusted as sufficient to authorize access.
Attack Vector
An attacker needs a valid Coolify API token and a target deployment UUID. UUIDs are not secret credentials, so they may be discovered through logs, shared screenshots, CI/CD systems, webhook payloads, or brute-force enumeration in smaller instances. The attacker issues an authenticated GET request to /api/v1/deployments/{uuid} with the target UUID. The API responds with the deployment record even though the token belongs to a different team. No user interaction is required, and the attack is performed entirely over the network.
The vulnerability is described in the GitHub Security Advisory GHSA-5p5w-h58c-2h5m.
Detection Methods for CVE-2026-27881
Indicators of Compromise
- Authenticated GET requests to /api/v1/deployments/{uuid} where the responding deployment's team_id does not match the token owner's team.
- API tokens issued to one team querying a high volume of distinct deployment UUIDs in a short window.
- Access log entries showing 200 responses on /api/v1/deployments/ from users who have no deployments of their own.
Detection Strategies
- Enable and review Coolify application logs for /api/v1/deployments/{uuid} requests, correlating the authenticated user's team with the returned deployment's team.
- Deploy a reverse proxy or web application firewall in front of Coolify to record API request patterns and flag cross-team access anomalies.
- Run authenticated scans that request known deployment UUIDs from a low-privileged test token and alert if data is returned.
Monitoring Recommendations
- Track request rates per API token against the /api/v1/deployments/ path and alert on unusual enumeration behavior.
- Ingest Coolify web server and application logs into a centralized logging or SIEM platform for cross-tenant access analysis.
- Rotate and audit API tokens regularly, and record token creation, usage, and revocation events for forensic review.
How to Mitigate CVE-2026-27881
Immediate Actions Required
- Upgrade all Coolify instances to version 4.0.0-beta.464 or later without delay.
- Rotate every existing API token so any previously leaked tokens cannot be reused against the patched endpoint.
- Review recent access logs for /api/v1/deployments/{uuid} calls and investigate any cross-team access observed prior to patching.
Patch Information
The vulnerability is fixed in Coolify 4.0.0-beta.464. The patch adds a team ownership check to the deployment lookup in DeployController.php so that requests are rejected when the deployment does not belong to the authenticated user's team. Details are available in the Coolify GitHub Security Advisory.
Workarounds
- Restrict network access to the Coolify API to trusted operators using firewall rules, VPN, or reverse proxy allowlists until the upgrade is applied.
- Temporarily disable or revoke API tokens for users who do not require programmatic access to deployments.
- Segregate tenants by running separate Coolify instances per team where multi-team isolation is a hard requirement.
# Upgrade Coolify to the fixed release
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash
# Verify the running version is 4.0.0-beta.464 or later
docker exec coolify php artisan --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

