PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34037 coollabsio CVE debrief

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T04:17:48.020Z and has not been modified since then. Coolify, an open-source tool for managing servers, applications, and databases, had a vulnerability in its cloneTo() Livewire action in ResourceOperations.php. Prior to version 4.0.0-beta.464, the action authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an authenticated user to clone resources into destinations owned by other teams and access cross-tenant resources.

Vendor
coollabsio
Product
coolify
CVSS
CRITICAL 9.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Coolify versions prior to 4.0.0-beta.464 should review and update their installations to prevent unauthorized resource cloning and access. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess and mitigate the vulnerability.

Technical summary

The cloneTo() Livewire action in ResourceOperations.php of Coolify, an open-source tool for managing servers, applications, and databases, was found to have a vulnerability. Prior to version 4.0.0-beta.464, the action authorizes the source resource but resolves destination resources with unscoped Eloquent lookups. This allows an authenticated user to clone resources into destinations owned by other teams and access cross-tenant resources, potentially leading to unauthorized access and data breaches.

Defensive priority

High priority should be given to updating Coolify installations to version 4.0.0-beta.464 or later to mitigate the vulnerability.

Recommended defensive actions

  • Update Coolify to version 4.0.0-beta.464 or later
  • Review and monitor resource cloning activities
  • Implement additional access controls and monitoring for cross-tenant resource access
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The vulnerability was fixed in version 4.0.0-beta.464 of Coolify. Users should verify their current version and update as necessary. Evidence limits suggest that deployments using Coolify versions prior to 4.0.0-beta.464 may be vulnerable. Defenders should verify affected scope and review compensating controls.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T04:17:48.020Z and has not been modified since then.