Skip to main content

Coolify CVE-2026-42147

| EUVDEUVD-2026-41992 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-07 GitHub_M
4.9
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.9 MEDIUM

PR:H confirmed by storage management permission requirement; C:H reflects credential exposure risk via metadata SSRF; no integrity or availability impact identified.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 07, 2026 - 05:01 EUVD
Analysis Generated
Jul 07, 2026 - 04:12 vuln.today

DescriptionCVE.org

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, S3 storage endpoint validation only checks URL format and testConnection() sends a server-side request to the configured endpoint, allowing an authenticated user with storage management permissions to make Coolify request internal or metadata-service URLs. This issue is fixed in version 4.0.0-beta.474.

AnalysisAI

Server-Side Request Forgery (SSRF) in Coolify prior to v4.0.0-beta.474 enables an authenticated user holding storage management permissions to coerce the application server into issuing HTTP requests to arbitrary internal addresses, including cloud instance metadata services. The vulnerable code path is Coolify's S3 storage endpoint testConnection() function, which blindly fetches the caller-supplied URL after only superficial format validation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with storage management privileges
Delivery
Navigate to S3 endpoint configuration
Exploit
Supply crafted metadata-service URL as endpoint
Execution
Invoke testConnection()
Persist
Coolify server issues SSRF request
Impact
Read returned internal data or credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Coolify session with the storage management permission role (CVSS PR:H confirmed by vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.9 (Medium) is driven heavily by PR:H, which accurately reflects that exploitation requires an authenticated account with storage management permissions - a meaningful prerequisite that substantially narrows the attack surface compared to unauthenticated SSRF. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a Coolify account that has storage management rights navigates to the S3 storage configuration interface and enters http://169.254.169.254/latest/meta-data/iam/security-credentials/ as the endpoint URL. Upon clicking the test connection button, Coolify's backend executes testConnection(), fetching the metadata URL from the cloud instance hosting Coolify, and the response - containing temporary IAM role credentials - is surfaced back to the attacker through the application interface or error output. …
Remediation Upgrade Coolify to version 4.0.0-beta.474 or later; the fix is confirmed by commit 297e9c41e19958f6237919794c28c3fb1d4cda32 and the corresponding release at https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-59157 CRITICAL POC
9.9 Jan 05

Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo

CVE-2025-66209 CRITICAL POC
9.9 Dec 23

A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application

CVE-2025-64420 CRITICAL POC
9.9 Jan 05

Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba

CVE-2026-57498 CRITICAL POC
9.6 Jun 29

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,

CVE-2025-64419 CRITICAL POC
9.6 Jan 05

Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap

CVE-2025-34161 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo

CVE-2025-34159 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d

CVE-2026-34594 HIGH POC
8.8 Jun 29

Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss

CVE-2026-34597 HIGH POC
8.8 Jun 29

Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica

CVE-2025-64424 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]

CVE-2025-59156 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0

CVE-2025-66211 HIGH POC
8.8 Dec 23

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers

Share

CVE-2026-42147 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy