PatchSiren cyber security CVE debrief
CVE-2026-34037 coollabsio CVE debrief
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T04:17:48.020Z and has not been modified since then. Coolify, an open-source tool for managing servers, applications, and databases, had a vulnerability in its cloneTo() Livewire action in ResourceOperations.php. Prior to version 4.0.0-beta.464, the action authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an authenticated user to clone resources into destinations owned by other teams and access cross-tenant resources.
- Vendor
- coollabsio
- Product
- coolify
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of Coolify versions prior to 4.0.0-beta.464 should review and update their installations to prevent unauthorized resource cloning and access. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess and mitigate the vulnerability.
Technical summary
The cloneTo() Livewire action in ResourceOperations.php of Coolify, an open-source tool for managing servers, applications, and databases, was found to have a vulnerability. Prior to version 4.0.0-beta.464, the action authorizes the source resource but resolves destination resources with unscoped Eloquent lookups. This allows an authenticated user to clone resources into destinations owned by other teams and access cross-tenant resources, potentially leading to unauthorized access and data breaches.
Defensive priority
High priority should be given to updating Coolify installations to version 4.0.0-beta.464 or later to mitigate the vulnerability.
Recommended defensive actions
- Update Coolify to version 4.0.0-beta.464 or later
- Review and monitor resource cloning activities
- Implement additional access controls and monitoring for cross-tenant resource access
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The vulnerability was fixed in version 4.0.0-beta.464 of Coolify. Users should verify their current version and update as necessary. Evidence limits suggest that deployments using Coolify versions prior to 4.0.0-beta.464 may be vulnerable. Defenders should verify affected scope and review compensating controls.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T04:17:48.020Z and has not been modified since then.