Uncontrolled API Token Lifetime in Coolify by Coollabs
CVE-2026-42172
3.1LOW
What is CVE-2026-42172?
Coolify, an open-source tool for managing servers and applications, has a vulnerability that allows API tokens to remain valid indefinitely until they are manually revoked. This issue arises from a lack of expiration on Sanctum API tokens in versions prior to 4.0.0-beta.474, which poses a significant security risk as leaked tokens enable unauthorized access for an extended period. The vulnerability has been addressed in version 4.0.0-beta.474, which implements token expiration to enhance security.
Affected Version(s)
coolify < 4.0.0-beta.474
