CVE-2025-64423

high-risk
Published 2026-01-05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipient does, they are able to log in as an administrator, meaning they have successfully escalated their privileges. As of time of publication, it is unclear if a patch is available.

Do I need to act?

-
0.06% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Coollabs

References (2)

Exploit https://github.com/coollabsio/coolify/security/advisories/GHSA-4fqm-797g-7m6j
Exploit https://github.com/coollabsio/coolify/security/advisories/GHSA-4fqm-797g-7m6j
63
/ 100
high-risk
Severity 30/34 · Critical
Exploitability 0/34 · Minimal
Exposure 33/34 · Critical