Skip to main content

Coolify CVE-2026-15507

| EUVDEUVD-2026-43248 LOW
Missing Authorization (CWE-862)
2026-07-12 cna@vuldb.com GHSA-6qvw-24xv-xqw6
2.1
CVSS 4.0 · Vendor: vuldb

Severity by source

Vendor (vuldb) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Network-reachable but requires authenticated low-privileged account (PR:L); no scope change; impact is limited to low across CIA triad per CVSS 4.0 mapping.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 12, 2026 - 22:30 vuln.today

DescriptionCVE.org

A vulnerability was detected in coollabsio Coolify up to 4.1.1. The impacted element is an unknown function of the file /app/Policies/ of the component Policy Handler. Performing a manipulation results in missing authorization. Remote exploitation of the attack is possible. The exploit is now public and may be used.

AnalysisAI

Missing authorization in Coolify's Policy Handler allows authenticated remote attackers to bypass resource-level access controls in versions up to 4.1.1. The flaw resides in the /app/Policies/ component, where policy enforcement checks are absent or incomplete, enabling low-privileged users to access or manipulate resources beyond their intended authorization scope. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Coolify account
Exploit
Craft request to restricted resource endpoint
Execution
Policy Handler skips authorization check
Impact
Access or modify another user's resource data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session with at minimum a low-privileged Coolify account (PR:L confirmed by CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 2.1 reflects the limited blast radius: PR:L confirms exploitation requires an authenticated low-privileged account, and VC:L/VI:L/VA:L indicates only low-impact access violations rather than full system compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Coolify user with a standard low-privileged account sends crafted HTTP requests to resource endpoints that should be restricted by policy checks; because the relevant Policy Handler methods are missing or stubbed out, the authorization gate is never enforced and the server returns or modifies data belonging to other users or teams. A public POC archive demonstrating this has been published on GitHub, lowering the skill threshold for exploitation.
Remediation Upgrade Coolify to a version beyond 4.1.1 once a patched release is issued by coollabsio - no confirmed patched version number is present in the available data, so monitor the official Coolify GitHub repository and release notes for a fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15507 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy