Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Low-privilege authentication required to configure GitHub App; SSRF yields read-only access to internal endpoints with no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp api_url field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a GitHub App source that causes Coolify to request internal services or cloud metadata endpoints. This issue is reported as fixed in version 4.0.0-beta.471.
AnalysisAI
Server-Side Request Forgery (SSRF) in Coolify's GitHub App integration exposes internal network services and cloud metadata endpoints to authenticated low-privilege users. Versions prior to 4.0.0-beta.471 allow any authenticated user to set the GithubApp api_url field to an arbitrary URL - including RFC 1918 private addresses or cloud instance metadata endpoints like 169.254.169.254 - which Coolify then fetches server-side without restriction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Coolify user account - the CVSS PR:L metric confirms low-privilege authentication is sufficient; unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 4.3 (Medium) reflects AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - network-reachable, low complexity, requiring low privileges, with limited confidentiality impact and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Coolify user with access to the GitHub App configuration UI sets the api_url field to http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS IMDS endpoint). When Coolify processes this GitHub App source, it issues a server-side HTTP GET to that URL and returns the response, leaking the IAM role name attached to the instance. … |
| Remediation | Upgrade Coolify to version 4.0.0-beta.471 or later; this is the vendor-confirmed fix per the advisory at https://github.com/coollabsio/coolify/security/advisories/GHSA-3g6r-cxv5-3c7h. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41997