X-Forwarded-Host Trust Vulnerability in Coolify Server Management Tool
CVE-2026-34198

5.3MEDIUM

Key Information:

Vendor

Coollabsio

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-34198?

Coolify, an open-source server management tool, previously contained a significant flaw in its TrustProxies middleware which accepted X-Forwarded-Host headers from any source. This oversight allowed unauthenticated attackers to request a password reset, generating links to attacker-controlled domains. Furthermore, the TrustHosts middleware failed to properly validate hosts due to a circular caching issue, exacerbating the situation. This issue has been addressed in version 4.0.0-beta.471, making immediate updates essential for users.

Affected Version(s)

coolify < 4.0.0-beta.471

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.