Skip to main content

Coolify CVE-2026-41896

| EUVDEUVD-2026-40223 HIGH
Improper Authentication (CWE-287)
2026-06-29 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Remote, no auth or interaction, and trivially low complexity since the empty-key HMAC is deterministic; impact is high integrity (forged deployments) with no confidentiality or direct availability loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 29, 2026 - 22:02 EUVD
Analysis Generated
Jun 29, 2026 - 21:15 vuln.today
CVE Published
Jun 29, 2026 - 20:16 cve.org
HIGH 7.5

DescriptionCVE.org

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the HMAC key is the application's manual_webhook_secret_github field, which is used by Coolify's webhook endpoints to validate incoming requests, is nullable with no default - meaning newly created applications have a null webhook secret. PHP's hash_hmac() function silently coerces a null key to an empty string ''. So when the secret is null, the server computes hash_hmac('sha256', $payload, '') - a deterministic value that any attacker can calculate independently. By sending X-Hub-Signature-256: sha256=<hash_hmac('sha256', payload, '')>, an unauthenticated attacker can forge a valid signature and trigger deployments. This vulnerability is fixed in 4.0.0-beta.474.

AnalysisAI

Webhook signature forgery in Coolify (self-hosted PaaS) before 4.0.0-beta.474 lets unauthenticated remote attackers trigger arbitrary application deployments. Because the per-application manual_webhook_secret_github field is nullable with no default, newly created applications carry a null HMAC key; PHP's hash_hmac() silently coerces null to an empty string, so the expected X-Hub-Signature-256 becomes a deterministic value any attacker can compute offline. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Coolify webhook endpoint
Delivery
Craft deployment trigger payload
Exploit
Compute HMAC with empty key
Execution
Send forged X-Hub-Signature-256 header
Impact
Server validates and triggers deployment

Vulnerability AssessmentAI

Exploitation Exploitation requires the target application's manual_webhook_secret_github value to be null/empty - the default state for applications created in Coolify prior to 4.0.0-beta.474 that were never assigned a manual webhook secret - and the Coolify webhook endpoint must be network-reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (base 7.5) is internally consistent with the description: network-reachable, low complexity, no privileges, no user interaction, with a high integrity impact (forged deployments) and no direct confidentiality or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates an internet-exposed Coolify instance and identifies the GitHub webhook endpoint for an application created with no webhook secret. The attacker crafts a deployment-triggering JSON payload, computes sha256=hash_hmac('sha256', payload, '') locally, and sends it with a matching X-Hub-Signature-256 header, causing Coolify to accept the forged request and trigger a deployment. …
Remediation Vendor-released patch: upgrade Coolify to 4.0.0-beta.474 or later, which fixes the null-secret HMAC coercion (per advisory GHSA-w8wm-r924-f65v, https://github.com/coollabsio/coolify/security/advisories/GHSA-w8wm-r924-f65v). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Coolify instances in production and audit which applications have null manual_webhook_secret_github fields; restrict webhook endpoint network access via firewall to known Git provider IP ranges only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-59157 CRITICAL POC
9.9 Jan 05

Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo

CVE-2025-66209 CRITICAL POC
9.9 Dec 23

A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application

CVE-2025-64420 CRITICAL POC
9.9 Jan 05

Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba

CVE-2026-57498 CRITICAL POC
9.6 Jun 29

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,

CVE-2025-64419 CRITICAL POC
9.6 Jan 05

Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap

CVE-2025-34161 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo

CVE-2025-34159 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d

CVE-2026-34594 HIGH POC
8.8 Jun 29

Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss

CVE-2026-34597 HIGH POC
8.8 Jun 29

Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica

CVE-2025-64424 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]

CVE-2025-59156 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0

CVE-2025-66211 HIGH POC
8.8 Dec 23

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers

Share

CVE-2026-41896 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy