Skip to main content

Coolify EUVDEUVD-2026-41984

| CVE-2026-34198 MEDIUM
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-07-07 GitHub_M
5.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
6.8 MEDIUM

AV:N and PR:N confirmed; UI:R reflects required victim click; C:H added because successful account takeover exposes all managed infrastructure credentials, not just integrity.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jul 07, 2026 - 05:01 EUVD
Analysis Generated
Jul 07, 2026 - 04:14 vuln.today

DescriptionCVE.org

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the TrustProxies middleware trusts all proxies ($proxies = '*'), accepting X-Forwarded-Host from any source. The TrustHosts middleware, intended to prevent host header attacks, has a circular caching dependency that prevents it from ever validating hosts. When a password reset is requested, the ResetPassword notification generates the reset URL using url(route(..., false)), which derives the host from the (spoofable) request. An unauthenticated attacker can trigger a password reset email containing a link pointing to an attacker-controlled domain, enabling token theft and account takeover. This issue is fixed in version 4.0.0-beta.471.

AnalysisAI

Password reset poisoning in Coolify prior to 4.0.0-beta.471 enables unauthenticated account takeover by injecting a forged X-Forwarded-Host header during a password reset request. Two compounding middleware failures make this possible: TrustProxies trusts all proxy sources unconditionally, and TrustHosts is rendered inoperable by a circular caching dependency, meaning the Host header is never validated. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify target user email
Delivery
Send password reset POST with forged X-Forwarded-Host header
Exploit
Coolify generates reset URL pointing to attacker domain
Install
Victim receives and clicks reset email link
C2
Token captured at attacker-controlled server
Execute
Replay token against real Coolify instance
Impact
Full account takeover

Vulnerability AssessmentAI

Exploitation The attacker must be able to send an HTTP request with a forged X-Forwarded-Host header to the Coolify instance's password reset endpoint - no authentication or prior access required (PR:N, AV:N per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS of 5.3 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N) is modest but potentially undersells real-world impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who knows (or enumerates) a Coolify user's email address sends an HTTP POST to the password reset endpoint with an X-Forwarded-Host header set to an attacker-controlled domain (e.g., evil.attacker.com). Coolify's unguarded middleware stack accepts this header as the canonical host, generates a reset URL of the form https://evil.attacker.com/reset-password?token=<TOKEN>, and emails it to the victim. …
Remediation The confirmed fix is to upgrade to Coolify version 4.0.0-beta.471 or later, available at https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-59157 CRITICAL POC
9.9 Jan 05

Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo

CVE-2025-66209 CRITICAL POC
9.9 Dec 23

A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application

CVE-2025-64420 CRITICAL POC
9.9 Jan 05

Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba

CVE-2026-57498 CRITICAL POC
9.6 Jun 29

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,

CVE-2025-64419 CRITICAL POC
9.6 Jan 05

Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap

CVE-2025-34161 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo

CVE-2025-34159 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d

CVE-2026-34594 HIGH POC
8.8 Jun 29

Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss

CVE-2026-34597 HIGH POC
8.8 Jun 29

Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica

CVE-2025-64424 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]

CVE-2025-59156 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0

CVE-2025-66211 HIGH POC
8.8 Dec 23

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers

Share

EUVD-2026-41984 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy