CVE-2026-57498
Coolify Cross-Team IDOR: Livewire Components Accept Unscoped server_id and destination_uuid — Deploy to Other Teams' Servers
Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId($teamId) before any operation. However, multiple Livewire web UI components accept server_id and destination_uuid from URL query parameters without any team ownership validation, allowing cross-team resource deployment. This vulnerability is fixed in 4.0.0-beta.474.
INFO
Published Date :
June 29, 2026, 8:12 p.m.
Last Modified :
June 29, 2026, 8:12 p.m.
Remotely Exploit :
No
Source :
GitHub_M
Solution
- Update Coolify to version 4.0.0-beta.474 or later.
- Verify server ownership validation is enforced.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-57498 vulnerability anywhere in the article.