Authorization Flaw in Coolify Affects OAuth Configuration Management
CVE-2025-22610

5.7MEDIUM

Key Information:

Vendor
Coollabsio
Status
Coolify
Vendor
CVE Published:
24 January 2025

Summary

Coolify, an open-source platform for managing servers and applications, has a vulnerability that allows any authenticated user to access the global OAuth configuration settings. This flaw exposes sensitive credentials including the 'client id' and 'client secret' for all custom OAuth providers, potentially enabling unauthorized access and modification of the global OAuth settings. The issue has been addressed in version 4.0.0-beta.361.

Affected Version(s)

coolify < 4.0.0-beta.361

References

https://github.com/coollabsio/coolify/security/advisories...
x_refsource_CONFIRM

CVSS V4

Score:
5.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-22610 : Authorization Flaw in Coolify Affects OAuth Configuration Management | SecurityVulnerability.io