PatchSiren cyber security CVE debrief
CVE-2026-34050 coollabsio CVE debrief
CVE-2026-34050 is a medium-severity vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The issue affects versions prior to 4.0.0-beta.471. The vulnerability resides in the Settings/Updates Livewire component, which fails to check if the user is an instance administrator (isInstanceAdmin) in its mount method. This oversight allows non-admin users to access the Updates settings page, potentially enabling them to modify auto-update settings or trigger update checks. The vulnerability has a CVSS score of 6.5 and is classified as MEDIUM. The issue has been fixed in version 4.0.0-beta.471.
- Vendor
- coollabsio
- Product
- coolify
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Administrators and users of Coolify, especially those with non-admin roles, should be aware of this vulnerability. If an attacker gains access to a non-admin account, they could potentially exploit this vulnerability to alter update settings or trigger updates, which could have unintended consequences on the system.
Technical summary
The vulnerability is located in the Settings/Updates Livewire component of Coolify. Specifically, the mount method of this component does not perform the necessary checks to ensure that only instance administrators can access the Updates settings page. This allows users with lower privileges to view and potentially modify sensitive update-related settings. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, indicating that the vulnerability can be exploited over the network with low attack complexity and privileges.
Defensive priority
Medium priority should be given to updating Coolify to version 4.0.0-beta.471 or later. In the meantime, administrators should closely monitor access to the Updates settings page and ensure that only authorized personnel have the necessary permissions.
Recommended defensive actions
- Update Coolify to version 4.0.0-beta.471 or later
- Review and restrict access to the Updates settings page
- Monitor for suspicious activity related to update settings
- Verify user permissions and roles within Coolify
- Perform a thorough review of system logs to detect any unauthorized access
- Implement additional monitoring for changes to update settings
- Review and update incident response plans to include this vulnerability
Evidence notes
The CVE record was published on 2026-07-06T22:16:48.250Z and was last modified on 2026-07-07T15:16:44.300Z. The NVD entry is currently Deferred. The vulnerability details were obtained from the NVD and CVE.org. Additional information can be found in the related GitHub commit, pull request, and security advisory.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T22:16:48.250Z and has not been modified since then. The NVD entry is currently Deferred.