CVE-2026-27956 Overview
CVE-2026-27956 is an authorization flaw in Coolify, an open-source and self-hostable platform for managing servers, applications, and databases. The vulnerability affects versions prior to 4.0.0-beta.464. The GET /api/v1/servers/{server_uuid}/domains endpoint bypasses team scoping when the optional uuid query parameter is supplied. Any authenticated API user can enumerate fully qualified domain names (FQDNs) belonging to applications owned by other teams. The issue is categorized under CWE-639: Authorization Bypass Through User-Controlled Key. The maintainers addressed the issue in Coolify 4.0.0-beta.464.
Critical Impact
Authenticated users in one Coolify team can enumerate application domain names across all other tenants, exposing infrastructure topology and enabling downstream reconnaissance.
Affected Products
- Coolify versions prior to 4.0.0-beta.464
- Self-hosted Coolify instances exposing the /api/v1/servers/{server_uuid}/domains endpoint
- Multi-tenant Coolify deployments with more than one team defined
Discovery Timeline
- 2026-06-30 - CVE-2026-27956 published to NVD
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-27956
Vulnerability Analysis
Coolify implements team-based tenancy so that resources belonging to one team remain isolated from other teams sharing the same instance. The API route GET /api/v1/servers/{server_uuid}/domains normally returns domains associated with the requesting user's team. When callers supply the optional uuid query parameter to request a specific application's domains, the handler resolves the application directly from the supplied UUID without validating that the target application belongs to the caller's team.
The result is an Insecure Direct Object Reference (IDOR). An authenticated user who possesses or guesses an application UUID can retrieve the FQDNs of applications in unrelated teams. The disclosure is limited to domain names, which does not compromise integrity or availability. However, FQDNs frequently reveal internal service naming conventions, staging environments, and customer-specific hostnames that assist targeted follow-on attacks.
Root Cause
The root cause is a missing authorization check on a user-controlled key. The endpoint uses the uuid query parameter as the primary lookup value and omits the team-scoping predicate that other Coolify endpoints enforce. [CWE-639] describes this pattern: access control decisions rely on parameters an attacker can modify, and the application fails to verify that the caller has rights to the referenced object.
Attack Vector
Exploitation requires only a valid Coolify API token for any team on the target instance. The attacker issues an authenticated GET request to /api/v1/servers/{server_uuid}/domains?uuid={app_uuid} where {app_uuid} identifies an application in a different team. The server returns the associated domain names. UUIDs may be obtained through prior access, log leakage, shared collaboration surfaces, or brute-force attempts against the 128-bit identifier space when partial values are known. See the GitHub Security Advisory GHSA-9x6p-29p3-h466 for the maintainer's technical description.
Detection Methods for CVE-2026-27956
Indicators of Compromise
- Requests to /api/v1/servers/{server_uuid}/domains that include a uuid query parameter referencing applications outside the caller's team.
- High-volume enumeration patterns from a single API token targeting the domains endpoint with varying uuid values.
- API responses returning FQDNs that do not correspond to any application owned by the requesting team.
Detection Strategies
- Parse Coolify HTTP access logs and correlate the uuid query parameter against the team ownership of both the token and the target application.
- Alert when a single authenticated identity queries the domains endpoint with a broad set of distinct uuid values in a short interval.
- Baseline normal API usage per token and flag deviations in endpoint mix, especially spikes toward /api/v1/servers/*/domains.
Monitoring Recommendations
- Forward Coolify reverse proxy or application logs to a centralized logging platform and retain full URL query strings.
- Instrument the Coolify API layer to emit structured audit events including caller team ID, target resource team ID, and endpoint name.
- Monitor for post-upgrade regressions by tracking the version string exposed by the Coolify instance and confirming it is at or above 4.0.0-beta.464.
How to Mitigate CVE-2026-27956
Immediate Actions Required
- Upgrade all Coolify instances to version 4.0.0-beta.464 or later, which contains the authorization fix.
- Rotate Coolify API tokens for any team where cross-tenant enumeration is suspected based on log review.
- Review historical access logs for the /api/v1/servers/{server_uuid}/domains endpoint to identify prior misuse of the uuid parameter.
Patch Information
The maintainers fixed CVE-2026-27956 in Coolify 4.0.0-beta.464. The patch adds team-scoping validation to the domains endpoint so the resolved application must belong to the same team as the requesting API token. Refer to the Coolify GitHub Security Advisory for release notes and the associated commit.
Workarounds
- Restrict network access to the Coolify API to trusted operators until the upgrade is complete.
- Reduce API token scope by issuing tokens only to users who require programmatic access, and revoke tokens that are unused.
- Place the Coolify API behind a reverse proxy that strips or rejects the uuid query parameter on the /api/v1/servers/*/domains route as a temporary compensating control.
# Reverse proxy compensating control example (nginx)
location ~ ^/api/v1/servers/[^/]+/domains$ {
if ($arg_uuid) {
return 403;
}
proxy_pass http://coolify_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

