Timing Attack Vulnerability in Coolify by Coollabsio
CVE-2026-27882

4.8MEDIUM

Key Information:

Vendor: Coollabsio
Status: Coolify
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-27882?

Coolify, an open-source tool for managing servers, applications, and databases, is susceptible to a timing attack due to its use of a non-constant-time string comparison operator for webhook secret token validation. Attackers can exploit this vulnerability to infer the secret token by measuring variations in response times. This flaw has been addressed in version 4.0.0-beta.461, and users are urged to upgrade to enhance their security posture.

Affected Version(s)

coolify < 4.0.0-beta.461

References

https://github.com/coollabsio/coolify/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Feb 24, 2026

CVE-2026-27882 Data

JSON