PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34167 coollabsio CVE debrief

CVE-2026-34167 is a vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The ActivityMonitor Livewire component exposes a public $activityId property without Livewire's #[Locked] attribute, allowing authenticated users to enumerate activity records across all teams and read full command output from remote SSH processes, potentially including secrets, configuration files, and infrastructure details. This issue is fixed in version 4.0.0-beta.471.

Vendor
coollabsio
Product
coolify
CVSS
MEDIUM 5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Users of Coolify, especially those with administrative access, should be aware of this vulnerability and ensure they are running version 4.0.0-beta.471 or later to mitigate the risk.

Technical summary

The ActivityMonitor Livewire component in Coolify exposes a public $activityId property without proper authorization or team scoping. This allows any authenticated user to access activity records across all teams and read command output from SSH processes, which may contain sensitive information. The vulnerability is due to the lack of Livewire's #[Locked] attribute on the $activityId property and the use of Activity::find($this->activityId) without proper access controls. The issue has been fixed in version 4.0.0-beta.471.

Defensive priority

Medium priority should be given to updating Coolify to version 4.0.0-beta.471 or later, as the vulnerability allows for unauthorized access to potentially sensitive information.

Recommended defensive actions

  • Update Coolify to version 4.0.0-beta.471 or later
  • Review and monitor activity records for unauthorized access
  • Ensure proper authorization and access controls are in place for sensitive operations
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-06T22:16:48.497Z and was last modified on 2026-07-07T13:22:13.557Z. The NVD entry is currently Deferred. Evidence is limited to public CVE and NVD information. Defenders should verify Coolify version 4.0.0-beta.471 or later is deployed, review activity records, and ensure proper authorization and access controls are in place.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T22:16:48.497Z and has not been modified since then. The NVD entry is currently Deferred.