CVE-2026-34171

CoolLabs · Coolify

Coolify is vulnerable to a Cross-Site Request Forgery (CSRF) attack, which could allow an unauthorized party to perform actions on behalf of an authenticated user.

Executive summary

A Cross-Site Request Forgery (CSRF) vulnerability in Coolify could enable attackers to perform unauthorized actions, potentially leading to a full compromise of the application environment.

Vulnerability

This vulnerability is a CSRF (CWE-352) flaw where an attacker can trick an authenticated user into executing unwanted actions within the Coolify interface. This is typically achieved by enticing a user to click a malicious link while they have an active session.

Business impact

With a CVSS score of 8.0, this vulnerability poses a significant risk to the confidentiality and integrity of the application. An attacker could force administrative actions, such as changing system settings or creating new user accounts, leading to unauthorized access and potential data exfiltration.

Remediation

Immediate Action: Upgrade to Coolify version 4.0.0-beta.471 or later to implement the required CSRF protection mechanisms.

Proactive Monitoring: Review audit logs for unexpected account modifications or changes to application settings that do not align with known administrative activity.

Compensating Controls: Encourage users to log out of the Coolify dashboard when not in use and implement browser-based security policies to mitigate CSRF risks.

Exploitation status

Public Exploit Available: false

Analyst recommendation

CSRF vulnerabilities can be highly damaging in management tools like Coolify. It is essential to update to the patched version immediately to ensure that session integrity is maintained and to prevent unauthorized administrative actions.