Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Network CSRF (AV:N) needing a known UUID and a victim click gives AC:H/UI:R with PR:N; predictable-password reset yields account takeover (C:H/I:H), but impact stays within the same app so S:U.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GET /invitations/{uuid} endpoint can perform a state-changing password reset using an attacker-known invitation UUID, allowing an attacker who can cause a victim to visit the crafted invitation URL to reset the victim account password to a predictable value. This issue is fixed in version 4.0.0-beta.471.
AnalysisAI
{uuid} endpoint performing a state-changing password reset when merely visited. In versions prior to 4.0.0-beta.471, an attacker who knows a victim's invitation UUID and lures them to a crafted link can silently reset the victim's account password to a predictable value and seize the account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the specific GET /invitations/{uuid} endpoint of a Coolify instance older than 4.0.0-beta.471 to be reachable by the victim's browser, and the attacker must know a valid invitation UUID for the target (the description states an 'attacker-known invitation UUID'). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 3.1 score is 8.0 (High) with vector AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N: network-reachable and unauthenticated (PR:N) but gated by high attack complexity (AC:H) and required user interaction (UI:R), reflecting that the attacker must both obtain a valid invitation UUID and successfully lure the victim into clicking. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains or is given a valid invitation UUID for a target Coolify user and embeds the /invitations/{uuid} URL in a phishing email or an auto-loading resource on a webpage. When the victim visits the crafted link, the GET request silently resets their account password to a predictable value, and the attacker then logs in with that known password to take over the account. … |
| Remediation | Vendor-released patch: 4.0.0-beta.471 - upgrade all Coolify instances to v4.0.0-beta.471 or later, which remediates the CSRF password-reset behavior (fix commit 25d424c743d5134d4a005a6d8f754bb3235b632c). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all deployments running versions prior to 4.0.0-beta.471 and assess UUID enumeration exposure vectors. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41988