Uncontrolled API Token Lifetime in Coolify by Coollabs
CVE-2026-42172

3.1LOW

Key Information:

Vendor

Coollabsio

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-42172?

Coolify, an open-source tool for managing servers and applications, has a vulnerability that allows API tokens to remain valid indefinitely until they are manually revoked. This issue arises from a lack of expiration on Sanctum API tokens in versions prior to 4.0.0-beta.474, which poses a significant security risk as leaked tokens enable unauthorized access for an extended period. The vulnerability has been addressed in version 4.0.0-beta.474, which implements token expiration to enhance security.

Affected Version(s)

coolify < 4.0.0-beta.474

References

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.