Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/deployments/{uuid}` in DeployController.php retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any authenticated API user can read deployment records from other teams by providing a valid deployment UUID. This vulnerability is fixed in 4.0.0-beta.464.
References
Configurations
No configuration.
History
30 Jun 2026, 20:17
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/coollabsio/coolify/security/advisories/GHSA-5p5w-h58c-2h5m - |
30 Jun 2026, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-30 15:16
Updated : 2026-06-30 20:17
NVD link : CVE-2026-27881
Mitre link : CVE-2026-27881
CVE.ORG link : CVE-2026-27881
JSON object : View
Products Affected
No product.
CWE
CWE-639
Authorization Bypass Through User-Controlled Key
