CVE-2026-34167 Overview
Coolify is an open-source, self-hostable platform for managing servers, applications, and databases. CVE-2026-34167 is an Insecure Direct Object Reference (IDOR) vulnerability [CWE-639] in the ActivityMonitor Livewire component. The component exposes a public $activityId property without Livewire's #[Locked] attribute and loads records via Activity::find($this->activityId) with no authorization or team scoping. Because activity IDs are auto-incrementing integers, any authenticated user can enumerate activities across all teams. Exposed activities may contain full command output from remote SSH processes, including secrets, configuration files, and infrastructure details. The issue is fixed in Coolify version 4.0.0-beta.471.
Critical Impact
Authenticated users in a multi-tenant Coolify deployment can read remote SSH command output from other teams, potentially exposing credentials, tokens, and infrastructure configuration.
Affected Products
- Coolify versions prior to 4.0.0-beta.471
- Self-hosted Coolify multi-tenant deployments
- Coolify installations exposing the ActivityMonitor Livewire component to authenticated users
Discovery Timeline
- 2026-07-06 - CVE-2026-34167 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-34167
Vulnerability Analysis
The flaw resides in Coolify's ActivityMonitor Livewire component, which tracks execution of remote SSH tasks orchestrated through the CoolifyTask job. Livewire exposes public component properties to the browser and permits clients to modify them unless they are explicitly marked with the #[Locked] attribute. In the vulnerable version, $activityId is a public integer property without this protection.
When the component renders, it calls Activity::find($this->activityId) on the Spatie activitylog model. The query performs no team scoping and no authorization check against the requesting user. Because activity records are stored in a shared table keyed by an auto-incrementing integer, an attacker can iterate values sequentially and retrieve arbitrary records.
Activity records embed the full stdout/stderr stream of remote SSH commands executed by Coolify. That output regularly includes database credentials, environment variables, deployment scripts, container configuration, and other operator-only material.
Root Cause
The root cause is missing object-level authorization combined with a client-controllable identifier. Livewire treats public properties as writable from the client. Without #[Locked], the $activityId becomes a tampering surface. The subsequent Activity::find() call does not filter by team_id or verify the caller's membership, so identifier tampering directly maps to cross-tenant data access.
Attack Vector
Exploitation requires only an authenticated Coolify account with permission to view the ActivityMonitor component. The attacker updates the component's activityId value through a standard Livewire update request and receives the rendered activity output in the response. Iterating the integer identifier enumerates every activity in the instance.
// Vulnerable pattern (pre-4.0.0-beta.471)
// app/Livewire/ActivityMonitor.php
class ActivityMonitor extends Component
{
public $activityId; // No #[Locked] attribute — client-controllable
public function render()
{
// No team scoping, no authorization check
$activity = Activity::find($this->activityId);
return view('livewire.activity-monitor', ['activity' => $activity]);
}
}
// Fix in v4.0.0-beta.471 adds #[Locked] to $activityId and scopes
// the query to the caller's team via the current session context.
// Source: https://github.com/coollabsio/coolify/pull/9189
Detection Methods for CVE-2026-34167
Indicators of Compromise
- Livewire update requests targeting the ActivityMonitor component with sequentially incrementing activityId values from a single session.
- HTTP POST traffic to the Livewire message endpoint (typically /livewire/update or /livewire/message/activity-monitor) at rates inconsistent with normal user interaction.
- Authenticated sessions accessing activity records associated with teams the user does not belong to, visible in application logs joining activities.id to users.current_team_id.
Detection Strategies
- Review web server and application logs for bursts of Livewire requests referencing the ActivityMonitor component with monotonically increasing identifier payloads.
- Correlate authenticated user IDs against the team_id column of returned activity records to surface cross-tenant reads.
- Alert on any user retrieving more distinct activity records within a short window than the operator would reasonably interact with.
Monitoring Recommendations
- Enable verbose logging on the Livewire endpoint and forward events to your SIEM or data lake for retention and query.
- Track deployments of Coolify by version and flag any instance still reporting a build older than 4.0.0-beta.471.
- Monitor outbound access to secrets management systems and rotate credentials that appear in historic activity logs.
How to Mitigate CVE-2026-34167
Immediate Actions Required
- Upgrade Coolify to version 4.0.0-beta.471 or later on all self-hosted instances.
- Rotate any credentials, API tokens, and SSH keys that may have appeared in remote command output captured by the activity log.
- Audit user accounts and revoke access for accounts that should no longer have team membership.
Patch Information
The fix ships in Coolify 4.0.0-beta.471. The patch hardens the ActivityMonitor component by adding the #[Locked] attribute to $activityId, scoping activity lookups to the caller's team, and simplifying the remote process chain. See the GitHub Security Advisory GHSA-962v-gxmw-56hc, the GitHub Pull Request #9189, and the GitHub Release v4.0.0-beta.471 for details.
Workarounds
- Restrict Coolify dashboard access to trusted operators only until the upgrade is complete, using network-level controls or reverse-proxy authentication.
- Reduce the number of authenticated accounts on shared instances and disable self-registration where possible.
- Purge historical activity records containing sensitive command output after upgrading.
# Upgrade a self-hosted Coolify instance to the patched release
curl -fsSL https://cdn.coollabs.io/coolify/install.sh -o install.sh
sudo bash ./install.sh
# Verify the running version is 4.0.0-beta.471 or later
docker inspect coolify --format '{{.Config.Image}}'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

