CVE-2026-27956 MEDIUM

CVE-2026-27956: Coolify: Cross-team application domain enumeration via domains_by_server endpoint

Vendor Coollabsio
Product coolify
Weakness CWE-639 · IDOR
Published June 30, 2026
Last update June 30, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional uuid query parameter is provided. Any authenticated API user can enumerate domain names (FQDNs) of applications belonging to other teams. This vulnerability is fixed in 4.0.0-beta.464.

Key dates

02Disclosure timeline

June 30, 2026 CVE published
June 30, 2026 Record updated