Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 07 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 07 Jul 2026 04:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Coollabsio
Coollabsio coolify |
|
| Vendors & Products |
Coollabsio
Coollabsio coolify |
Tue, 07 Jul 2026 03:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an authenticated user to clone resources into destinations owned by other teams and access cross-tenant resources. This issue is fixed in version 4.0.0-beta.464. | |
| Title | Cross-Tenant Resource Cloning via Broken Object-Level Authorization in cloneTo() | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-07T14:02:21.731Z
Reserved: 2026-03-25T15:29:04.744Z
Link: CVE-2026-34037
Updated: 2026-07-07T14:01:50.920Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-07T04:30:15Z