What is the CVSS score of CVE-2025-64423?

CVE-2025-64423 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Coolify are affected by CVE-2025-64423?

Organizations using Coolify face significant risk from CVE-2025-64423, a improper authentication vulnerability rated CVSS 8.8.

Is there a public PoC exploit available for CVE-2025-64423?

Yes, a public proof-of-concept exploit is available for CVE-2025-64423. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-64423?

Within 7 days: Identify all affected systems running Coolify and apply vendor patches promptly. Audit authentication configurations and rotate any potentially compromised credentials.

Coolify CVE-2025-64423

HIGH

Improper Authentication (CWE-287)

2026-01-05 security-advisories@github.com

Authentication Bypass Coolify

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 09, 2026 - 16:10 vuln.today

Public exploit code

CVE Published

Jan 05, 2026 - 21:16 nvd

HIGH 8.8

DescriptionGitHub Advisory

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipient does, they are able to log in as an administrator, meaning they have successfully escalated their privileges. As of time of publication, it is unclear if a patch is available.

AnalysisAI

Technical ContextAI

Classified as CWE-287 (Improper Authentication). Affects Coolify. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipient does, they are able to log in as an administrator, meaning they have successfully escalated their privileges. As of time of publication, it is unclear if a patch is available.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2025-64423 vulnerability details – vuln.today

Back

Coolify CVE-2025-64423

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code