Skip to main content

Coolify CVE-2026-27882

| EUVDEUVD-2026-40328 MEDIUM
Observable Timing Discrepancy (CWE-208)
2026-06-30 GitHub_M
4.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

Network-accessible endpoint requires no authentication, but AC:H reflects timing attack dependency on low-jitter, high-volume network conditions; no availability impact applies.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 30, 2026 - 16:01 EUVD
Analysis Generated
Jun 30, 2026 - 15:26 vuln.today

DescriptionCVE.org

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.461, the GitLab webhook endpoint uses a non-constant-time string comparison operator (!==) to validate the webhook secret token. This implementation is vulnerable to timing attacks, which could allow an attacker to gradually discover the secret token by measuring response time differences. This vulnerability is fixed in 4.0.0-beta.461.

AnalysisAI

Coolify's GitLab webhook endpoint leaks its secret token through a timing side-channel, enabling unauthenticated network attackers to reconstruct the token incrementally by measuring HTTP response time differences. All self-hosted Coolify instances prior to 4.0.0-beta.461 with GitLab webhook integrations configured are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate publicly exposed Coolify GitLab webhook endpoint
Delivery
Send high-volume timed probe requests with token variants
Exploit
Statistically measure per-character response time deltas
Execution
Reconstruct webhook secret token byte-by-byte
Persist
Forge valid signed GitLab webhook payload
Impact
Trigger unauthorized deployment or pipeline action in Coolify

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Coolify instance has at least one GitLab webhook integration configured with a secret token, and that the GitLab webhook endpoint is reachable by the attacker over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.8 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N is consistent with the nature of this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with reliable, low-latency access to the Coolify instance's GitLab webhook endpoint submits thousands of HTTP POST requests with incrementally varied secret token values, carefully measuring response times to identify which byte positions match the real token character by character. After accumulating sufficient statistical samples to overcome network jitter, the attacker reconstructs the full webhook secret and uses it to craft a forged GitLab push-event payload, causing Coolify to execute an unauthorized deployment or pipeline action.
Remediation The primary fix is to upgrade Coolify to version 4.0.0-beta.461 or later, which replaces the non-constant-time `!==` comparison with a timing-safe alternative. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-59157 CRITICAL POC
9.9 Jan 05

Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo

CVE-2025-66209 CRITICAL POC
9.9 Dec 23

A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application

CVE-2025-64420 CRITICAL POC
9.9 Jan 05

Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba

CVE-2026-57498 CRITICAL POC
9.6 Jun 29

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,

CVE-2025-64419 CRITICAL POC
9.6 Jan 05

Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap

CVE-2025-34161 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo

CVE-2025-34159 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d

CVE-2026-34594 HIGH POC
8.8 Jun 29

Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss

CVE-2026-34597 HIGH POC
8.8 Jun 29

Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica

CVE-2025-64424 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]

CVE-2025-59156 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0

CVE-2025-66211 HIGH POC
8.8 Dec 23

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers

Share

CVE-2026-27882 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy