Coollabsio Coolify vulnerabilities
37 known vulnerabilities affecting coollabsio/coolify.
Total CVEs
37
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH21MEDIUM12
Vulnerabilities
Page 2 of 2
CVE-2025-22606P3HIGHCVSS 7.8fixed in 4.0.0-beta.3592025-01-24
CVE-2025-22606 [HIGH] CWE-78 CVE-2025-22606: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In version 4.0.0-beta.358 and possibly earlier versions, when creating or updating a "project," it is possible to inject arbitrary shell commands by altering the project name. If a name includes unescaped characters, such as single quotes (`'`), it breaks
nvd
CVE-2026-41896P3HIGHCVSS 7.5fixed in 4.0.0-beta.4742026-06-29
CVE-2026-41896 [HIGH] CWE-287 CVE-2026-41896: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the HMAC key is the application's manual_webhook_secret_github field, which is used by Coolify's webhook endpoints to validate incoming requests, is nullable with no default — meaning newly created applications have a null webhoo
nvd
CVE-2025-22605P3HIGHCVSS 7.8v>= 4.0.0-beta.18, < 4.0.0-beta.2532025-01-24
CVE-2025-22605 [HIGH] CWE-78 CVE-2025-22605: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Starting in version 4.0.0-beta.18 and prior to 4.0.0-beta.253, a vulnerability in the execution of commands on remote servers allows an authenticated user to execute arbitrary code on the local Coolify container, gaining access to data and private keys or
nvd
CVE-2026-34592P3HIGHCVSS 7.7fixed in 4.0.0-beta.4712026-06-29
CVE-2026-34592 [HIGH] CWE-639 CVE-2026-34592: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, Coolify server and project lookups are not scoped to the current team, allowing any authenticated user to access servers and projects belonging to other teams by specifying their IDs directly. This vulnerability is fixed in 4.0.0
nvd
CVE-2025-64421P3HIGHCVSS 8.0≤ 4.0.0-beta.4342026-01-05
CVE-2025-64421 [HIGH] CWE-863 CVE-2025-64421: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can invite a high privileged user. At first, the application will throw an error, but if the attacker clicks the invite button a second time, it actually works. This
nvd
CVE-2025-59158P3HIGHCVSS 8.0fixed in 4.0.0-beta.420.72026-01-05
CVE-2025-59158 [HIGH] CWE-116 CVE-2025-59158: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges (e.g., member role) can create a project with a maliciously
nvd
CVE-2025-22610P3MEDIUMCVSS 6.5fixed in 4.0.0-beta.3612025-01-24
CVE-2025-22610 [MEDIUM] CWE-862 CVE-2025-22610: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the global coolify instance OAuth configuration. This exposes the "client id" and "client secret" for every custom OAuth provider. The attacker can also m
nvd
CVE-2026-27955P4MEDIUMCVSS 6.6fixed in 4.0.0-beta.4642026-06-30
CVE-2026-27955 [MEDIUM] CWE-78 CVE-2026-27955: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the executeInDocker() helper wraps commands in bash -c '{$command}' without escaping single quotes. User-controlled docker_compose_custom_build_command and docker_compose_custom_start_command fields are interpolated directly, al
nvd
CVE-2025-22608P4MEDIUMCVSS 6.5fixed in 4.0.0-beta.3612025-01-24
CVE-2025-22608 [MEDIUM] CWE-639 CVE-2025-22608: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to revoke any team invitations on a Coolify instance by only providing a predictable and incrementing ID, resulting in a Denial-of-Service attack (DOS). Version 4.
nvd
CVE-2025-59955P4MEDIUMCVSS 5.7≤ 4.0.0-beta.4282026-01-05
CVE-2025-59955 [MEDIUM] CWE-201 CVE-2025-59955: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints allows authenticated team members to access a highly sensi
nvd
CVE-2026-27883P4MEDIUMCVSS 5.0fixed in 4.0.0-beta.4642026-06-30
CVE-2026-27883 [MEDIUM] CWE-639 CVE-2026-27883: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the `GET /api/v1/deployments/{uuid}` endpoint allows any authenticated user to access deployment details belonging to any team, bypassing team-based authorization. The $teamId is extracted from the authentication token but neve
nvd
CVE-2026-27881P4MEDIUMCVSS 5.0fixed in 4.0.0-beta.4642026-06-30
CVE-2026-27881 [MEDIUM] CWE-639 CVE-2026-27881: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/deployments/{uuid}` in DeployController.php retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any authenticated API user can read deployment records from
nvd
CVE-2025-22607P4MEDIUMCVSS 5.5fixed in 4.0.0-beta.3612025-01-24
CVE-2025-22607 [MEDIUM] CWE-200 CVE-2025-22607: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the details page for any GitHub / GitLab configuration on a Coolify instance by only knowing the UUID of the model. This exposes the "client id", "client
nvd
CVE-2026-27882P4MEDIUMCVSS 4.8fixed in 4.0.0-beta.4612026-06-30
CVE-2026-27882 [MEDIUM] CWE-208 CVE-2026-27882: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.461, the GitLab webhook endpoint uses a non-constant-time string comparison operator (!==) to validate the webhook secret token. This implementation is vulnerable to timing attacks, which could allow an attacker to gradually discove
nvd
CVE-2025-24025P4MEDIUMCVSS 6.1fixed in 4.0.0-beta.3612025-01-24
CVE-2025-24025 [MEDIUM] CWE-116 CVE-2025-24025: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.380, the tags page allows users to search for tags. If the search does not return any results, the query gets reflected on the error modal, which leads to cross-site scripting. Version 4.0.0-beta.380 fixes the issue.
nvd
CVE-2026-27956P4MEDIUMCVSS 4.3fixed in 4.0.0-beta.4642026-06-30
CVE-2026-27956 [MEDIUM] CWE-639 CVE-2026-27956: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional uuid query parameter is provided. Any authenticated API user can enumerate domain names (FQDNs) of applications belonging to ot
nvd
CVE-2025-64422P4MEDIUMCVSS 4.3v>= 4.0.0-beta.4342026-01-05
CVE-2025-64422 [MEDIUM] CWE-770 CVE-2025-64422: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables unlimited credential stuffing and brute-force attempts agains
nvd
← Previous2 / 2