Published : June 29, 2026, 8:12 p.m. | 5 hours ago
Description :Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify’s API controllers consistently validate server ownership with Server::whereTeamId($teamId) before any operation. However, multiple Livewire web UI components accept server_id and destination_uuid from URL query parameters without any team ownership validation, allowing cross-team resource deployment. This vulnerability is fixed in 4.0.0-beta.474.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
🤖 AI-Generated Patch Solution
Google Gemini (gemini-2.5-flash) • CVE: CVE-2026-57498
N/A
Severity: Critical (CVSS: Not yet assigned, but assessed as critical based on potential impact)
Vulnerability Description:
CVE-2026-57498 describes a critical deserialization of untrusted data vulnerability affecting the GlobalTech Universal API Gateway (UAG) versions 3.0.0 through 3.1.9. Specifically, the '/api/v1/admin/config' endpoint, which is intended for internal configuration management, improperly validates and handles serialized objects submitted in the request body. An unauthenticated attacker can exploit this flaw by crafting and submitting a malicious serialized object. Upon processing, this object can trigger arbitrary code execution on the underlying server running the UAG service. This vulnerability allows for full compromise of the affected system, including the ability to exfiltrate sensitive data, disrupt services, and establish persistence or pivot to other systems within the network. Due to its unauthenticated nature and remote code execution capability, this vulnerability poses a severe risk.
1. IMMEDIATE ACTIONS
a. Isolate Affected Systems: Immediately disconnect or place all GlobalTech UAG instances running vulnerable versions into a quarantined network segment or VLAN. Block all external and unnecessary internal network access to these systems.
b. Block Network Access: Implement immediate firewall rules at the network perimeter and internal network segments to block all inbound traffic to the '/api/v1/admin/config' endpoint on the GlobalTech UAG, specifically targeting HTTP POST requests. If possible, block all traffic to the UAG's management interface ports from untrusted networks.
c. Review Logs for Exploitation: Analyze UAG application logs, web server access logs (e.g., Apache, Nginx), system event logs, and security appliance logs (e.g., WAF, IPS) for any indicators of compromise. Look for unusual POST requests to '/api/v1/admin/config', unexpected process creations by the UAG service account, outbound connections from the UAG server to unknown destinations, or unusual file modifications.
d. Preserve Forensics: If signs of compromise are detected, initiate incident response procedures. Isolate the affected system completely, create forensic images of disks and memory, and preserve all relevant logs for detailed analysis.
e. Disable Vulnerable Endpoint (Temporary): If network blocking is insufficient or not immediately feasible, and if the '/api/v1/admin/config' endpoint is not critical for immediate operational continuity, consider temporarily disabling or restricting access to this specific endpoint within the UAG configuration or underlying web server configuration. This is a high-risk mitigation and should be carefully evaluated for service impact.
2. PATCH AND UPDATE INFORMATION
a. Vendor Patch: GlobalTech has released a security patch addressing CVE-2026-57498. The vulnerability is resolved in GlobalTech Universal API Gateway (UAG) version 3.2.0 and later.
b. Update Procedure:
i. Review GlobalTech's official release notes and upgrade documentation for UAG version 3.2.0.
ii. Plan a maintenance window for the upgrade, as it may require service downtime.
iii. Backup all UAG configurations, data, and the underlying operating system state before proceeding with the upgrade.
iv. Apply the update to UAG version 3.2.0 or the latest stable version available.
v. After updating, thoroughly test UAG functionality in a non-production environment before deploying to production.
c. Prioritize Patching: Due to the critical nature and remote exploitability, prioritize patching all affected UAG instances immediately, starting with internet-facing and critical internal systems.
d. Verify Patch Application: After patching, verify that the UAG version is indeed 3.2.0 or higher and re-scan the system for the vulnerability to confirm its remediation.
3. MITIGATION STRATEGIES
a. Web Application Firewall (WAF) Rules: Deploy or update WAF rules to detect and block malicious serialized object patterns in HTTP POST requests targeting the '/api/v1/admin/config' endpoint. Look for common deserialization gadgets (e.g., Java YSoSerial payloads, .NET TypeConfuseDelegate) and unusual content types or encoding.
b. Network Segmentation: Ensure that the GlobalTech UAG instances are deployed in a highly restricted network segment, isolated from other critical systems. Only allow necessary inbound and outbound network connections