Which versions of Coolify are affected by CVE-2025-22610?

Organizations using Coolify should be aware of moderate risk from CVE-2025-22610, a missing authorization vulnerability rated CVSS 5.7. Attackers could gain access beyond their authorized level.

Is there a public PoC exploit available for CVE-2025-22610?

Yes, a public proof-of-concept exploit is available for CVE-2025-22610. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2025-22610?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Coolify CVE-2025-22610

Q: What is the CVSS score of CVE-2025-22610?

CVE-2025-22610 has a CVSS 4.0 base score of 5.7 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

MEDIUM

Missing Authorization (CWE-862)

2025-01-24 security-advisories@github.com

Authentication Bypass Coolify

5.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:05 vuln.today

PoC Detected

Sep 19, 2025 - 15:26 vuln.today

Public exploit code

CVE Published

Jan 24, 2025 - 17:15 nvd

MEDIUM 5.7

DescriptionNVD

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the global coolify instance OAuth configuration. This exposes the "client id" and "client secret" for every custom OAuth provider. The attacker can also modify the global OAuth configuration. Version 4.0.0-beta.361 fixes the issue.

AnalysisAI

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the global coolify instance OAuth configuration. This exposes the "client id" and "client secret" for every custom OAuth provider. The attacker can also modify the global OAuth configuration. Version 4.0.0-beta.361 fixes the issue. Affected products include: Coollabs Coolify. Version information: version 4.0.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

CVE-2025-22610 vulnerability details – vuln.today

Back

Coolify CVE-2025-22610

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

Coolify CVE-2025-22610

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code