Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Network-reachable API requiring a low-privilege read token (PR:L); no confidentiality or availability impact, only integrity via unauthorized state-changing calls.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, mutating API validation endpoints are guarded by read ability, allowing read-scoped API tokens to perform state-changing operations such as validating cloud tokens and servers. This issue is fixed in version 4.0.0-beta.466.
AnalysisAI
Incorrect authorization in Coolify's API layer allows any holder of a read-scoped API token to invoke mutating validation endpoints - including cloud token validation and server validation - that should require write-level privileges. All Coolify deployments prior to version 4.0.0-beta.466 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires possession of a valid Coolify API token with at least read scope - the attacker must be an authenticated user of the Coolify instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.5 (Medium) reflects a network-accessible flaw with low-privilege authentication required (PR:L), low attack complexity, no user interaction, and high integrity impact with no confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has been issued a read-only API token - for example, a developer or monitoring service with intentionally restricted access - crafts API requests to the mutating validation endpoints (such as cloud credential validation or server connectivity checks) that should require write permissions. Because the authorization guard checks only for read ability, the request succeeds and the attacker can trigger state-changing operations on the Coolify-managed infrastructure. … |
| Remediation | Upgrade to Coolify version 4.0.0-beta.466 or later, which resolves the incorrect authorization check on mutating validation endpoints. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41949