What is the CVSS score of CVE-2025-22611?

CVE-2025-22611 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.5%.

Which versions of Coolify are affected by CVE-2025-22611?

Organizations using Coolify face critical risk from CVE-2025-22611, a missing authorization vulnerability rated CVSS 9.9.

Is there a public PoC exploit available for CVE-2025-22611?

Yes, a public proof-of-concept exploit is available for CVE-2025-22611. Prioritise patching immediately. EPSS: 0.5%.

How to fix or mitigate CVE-2025-22611?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Coolify CVE-2025-22611

CRITICAL

Missing Authorization (CWE-862)

2025-01-24 security-advisories@github.com

Authentication Bypass Coolify

9.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:05 vuln.today

PoC Detected

Sep 19, 2025 - 15:26 vuln.today

Public exploit code

CVE Published

Jan 24, 2025 - 17:15 nvd

CRITICAL 9.9

DescriptionNVD

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to escalate his or any other team members privileges to any role, including the owner role. He's also able to kick every other member out of the team, including admins and owners. This allows the attacker to access the Terminal feature and execute remote commands. Version 4.0.0-beta.361 fixes the issue.

AnalysisAI

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to escalate his or any other team members privileges to any role, including the owner role. He's also able to kick every other member out of the team, including admins and owners. This allows the attacker to access the Terminal feature and execute remote commands. Version 4.0.0-beta.361 fixes the issue. Affected products include: Coollabs Coolify. Version information: version 4.0.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

CVE-2025-22611 vulnerability details – vuln.today

Back

Coolify CVE-2025-22611

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code