Remote Code Execution Vulnerability in Coolify by Coollabs
CVE-2026-34170

4.3MEDIUM

Key Information:

Vendor

Coollabsio

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-34170?

Coolify, an open-source management tool for servers, applications, and databases, is vulnerable due to the misconfiguration of the GithubApp api_url field. This lack of allowlisting and private IP blocking enables authenticated users to manipulate server-side HTTP requests, potentially leading to the compromise of internal services or exposure of sensitive cloud metadata endpoints. The vulnerability is addressed in version 4.0.0-beta.471.

Affected Version(s)

coolify < 4.0.0-beta.471

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.