X-Forwarded-Host Trust Vulnerability in Coolify Server Management Tool
CVE-2026-34198
5.3MEDIUM
What is CVE-2026-34198?
Coolify, an open-source server management tool, previously contained a significant flaw in its TrustProxies middleware which accepted X-Forwarded-Host headers from any source. This oversight allowed unauthenticated attackers to request a password reset, generating links to attacker-controlled domains. Furthermore, the TrustHosts middleware failed to properly validate hosts due to a circular caching issue, exacerbating the situation. This issue has been addressed in version 4.0.0-beta.471, making immediate updates essential for users.
Affected Version(s)
coolify < 4.0.0-beta.471
