Improper Authentication Vulnerability in Coolify Server Management Tool
CVE-2026-34171

8HIGH

Key Information:

Vendor

Coollabsio

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-34171?

Coolify, an open-source platform for managing servers and applications, has a vulnerability in its invitation system. Prior to version 4.0.0-beta.471, the GET /invitations/{uuid} endpoint was susceptible to unauthorized password resets. Attackers could exploit this flaw by crafting a specific invitation link that, when accessed by a victim, could lead to resetting their account password to a predictable value. This vulnerability has been addressed in the latest version, ensuring that users are safeguarded against such attacks.

Affected Version(s)

coolify < 4.0.0-beta.471

References

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.