Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Token leak is a required precondition (AC:H, PR:L); read-only API access limits impact to C:L with no integrity or availability consequence.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain access indefinitely until manually revoked. This issue is fixed in version 4.0.0-beta.474.
AnalysisAI
Sanctum API tokens in Coolify never expire prior to v4.0.0-beta.474, meaning any token that is leaked or stolen remains permanently valid until an administrator manually revokes it. This affects the self-hosted server, application, and database management platform across all versions below 4.0.0-beta.474. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to first obtain a valid Coolify Sanctum API token through a separate vector - the CVSS PR:L metric confirms a low-privilege authenticated credential is necessary; unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 3.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately reflects the constrained nature of this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who intercepts a Coolify API token - for example, from an exposed environment variable in a public repository, an unprotected log file, or a compromised CI/CD pipeline - can use that token indefinitely to query the Coolify API and retrieve sensitive configuration data about managed servers, applications, and databases. Because the token never expires, the attacker retains access silently even after the original credential leak is forgotten or the legitimate user rotates their password. … |
| Remediation | The primary fix is to upgrade Coolify to v4.0.0-beta.474 or later, available at https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41980