CVE-2025-64423

HIGH

Coollabs Coolify < 4.0.0 - Authentication Bypass

Title source: rule

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipient does, they are able to log in as an administrator, meaning they have successfully escalated their privileges. As of time of publication, it is unclear if a patch is available.

References (1)

[Exploit, Vendor Advisory] https://github.com/coollabsio/coolify/security/advisories/GHSA-4fqm-797g-7m6j

Scores

CVSS v3 8.8

EPSS 0.0006

EPSS Percentile 19.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-287

Status published

Products (1)

coollabs/coolify 4.0.0 beta100 (50 CPE variants)

Published Jan 05, 2026

Tracked Since Feb 18, 2026