Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Remote, no auth or interaction, and trivially low complexity since the empty-key HMAC is deterministic; impact is high integrity (forged deployments) with no confidentiality or direct availability loss.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the HMAC key is the application's manual_webhook_secret_github field, which is used by Coolify's webhook endpoints to validate incoming requests, is nullable with no default - meaning newly created applications have a null webhook secret. PHP's hash_hmac() function silently coerces a null key to an empty string ''. So when the secret is null, the server computes hash_hmac('sha256', $payload, '') - a deterministic value that any attacker can calculate independently. By sending X-Hub-Signature-256: sha256=<hash_hmac('sha256', payload, '')>, an unauthenticated attacker can forge a valid signature and trigger deployments. This vulnerability is fixed in 4.0.0-beta.474.
AnalysisAI
Webhook signature forgery in Coolify (self-hosted PaaS) before 4.0.0-beta.474 lets unauthenticated remote attackers trigger arbitrary application deployments. Because the per-application manual_webhook_secret_github field is nullable with no default, newly created applications carry a null HMAC key; PHP's hash_hmac() silently coerces null to an empty string, so the expected X-Hub-Signature-256 becomes a deterministic value any attacker can compute offline. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target application's manual_webhook_secret_github value to be null/empty - the default state for applications created in Coolify prior to 4.0.0-beta.474 that were never assigned a manual webhook secret - and the Coolify webhook endpoint must be network-reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (base 7.5) is internally consistent with the description: network-reachable, low complexity, no privileges, no user interaction, with a high integrity impact (forged deployments) and no direct confidentiality or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker enumerates an internet-exposed Coolify instance and identifies the GitHub webhook endpoint for an application created with no webhook secret. The attacker crafts a deployment-triggering JSON payload, computes sha256=hash_hmac('sha256', payload, '') locally, and sends it with a matching X-Hub-Signature-256 header, causing Coolify to accept the forged request and trigger a deployment. … |
| Remediation | Vendor-released patch: upgrade Coolify to 4.0.0-beta.474 or later, which fixes the null-secret HMAC coercion (per advisory GHSA-w8wm-r924-f65v, https://github.com/coollabsio/coolify/security/advisories/GHSA-w8wm-r924-f65v). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Coolify instances in production and audit which applications have null manual_webhook_secret_github fields; restrict webhook endpoint network access via firewall to known Git provider IP ranges only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40223