Skip to main content

Coolify EUVDEUVD-2026-41988

| CVE-2026-34171 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-07 GitHub_M
8.0
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.0 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
vuln.today AI
6.8 MEDIUM

Network CSRF (AV:N) needing a known UUID and a victim click gives AC:H/UI:R with PR:N; predictable-password reset yields account takeover (C:H/I:H), but impact stays within the same app so S:U.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jul 07, 2026 - 05:01 EUVD
Analysis Generated
Jul 07, 2026 - 03:54 vuln.today

DescriptionCVE.org

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GET /invitations/{uuid} endpoint can perform a state-changing password reset using an attacker-known invitation UUID, allowing an attacker who can cause a victim to visit the crafted invitation URL to reset the victim account password to a predictable value. This issue is fixed in version 4.0.0-beta.471.

AnalysisAI

{uuid} endpoint performing a state-changing password reset when merely visited. In versions prior to 4.0.0-beta.471, an attacker who knows a victim's invitation UUID and lures them to a crafted link can silently reset the victim's account password to a predictable value and seize the account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid invitation UUID
Delivery
Craft /invitations/{uuid} URL
Exploit
Lure victim to visit link
Execution
GET triggers password reset
Persist
Password set to predictable value
Impact
Attacker logs in and hijacks account

Vulnerability AssessmentAI

Exploitation Exploitation requires the specific GET /invitations/{uuid} endpoint of a Coolify instance older than 4.0.0-beta.471 to be reachable by the victim's browser, and the attacker must know a valid invitation UUID for the target (the description states an 'attacker-known invitation UUID'). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 3.1 score is 8.0 (High) with vector AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N: network-reachable and unauthenticated (PR:N) but gated by high attack complexity (AC:H) and required user interaction (UI:R), reflecting that the attacker must both obtain a valid invitation UUID and successfully lure the victim into clicking. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains or is given a valid invitation UUID for a target Coolify user and embeds the /invitations/{uuid} URL in a phishing email or an auto-loading resource on a webpage. When the victim visits the crafted link, the GET request silently resets their account password to a predictable value, and the attacker then logs in with that known password to take over the account. …
Remediation Vendor-released patch: 4.0.0-beta.471 - upgrade all Coolify instances to v4.0.0-beta.471 or later, which remediates the CSRF password-reset behavior (fix commit 25d424c743d5134d4a005a6d8f754bb3235b632c). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all deployments running versions prior to 4.0.0-beta.471 and assess UUID enumeration exposure vectors. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-59157 CRITICAL POC
9.9 Jan 05

Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo

CVE-2025-66209 CRITICAL POC
9.9 Dec 23

A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application

CVE-2025-64420 CRITICAL POC
9.9 Jan 05

Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba

CVE-2026-57498 CRITICAL POC
9.6 Jun 29

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,

CVE-2025-64419 CRITICAL POC
9.6 Jan 05

Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap

CVE-2025-34161 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo

CVE-2025-34159 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d

CVE-2026-34594 HIGH POC
8.8 Jun 29

Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss

CVE-2026-34597 HIGH POC
8.8 Jun 29

Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica

CVE-2025-64424 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]

CVE-2025-59156 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0

CVE-2025-66211 HIGH POC
8.8 Dec 23

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers

Share

EUVD-2026-41988 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy