CVE-2026-34170 in Coolify
Summary
by MITRE • 07/07/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp api_url field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a GitHub App source that causes Coolify to request internal services or cloud metadata endpoints. This issue is reported as fixed in version 4.0.0-beta.471.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability in Coolify versions prior to 4.0.0-beta.471 represents a critical server-side request forgery (SSRF) flaw that stems from inadequate input validation and URL handling within the GitHub App integration functionality. This security weakness specifically affects the api_url field parameter which is utilized as the base URL for all server-side HTTP requests without proper sanitization or network access restrictions. The flaw allows authenticated users to manipulate the api_url field to point to internal network services or cloud metadata endpoints, effectively bypassing normal network security controls and creating a pathway for unauthorized information disclosure.
From a technical perspective, this vulnerability manifests as a failure in proper URL validation and network boundary enforcement within the application's HTTP request handling mechanism. The affected parameter api_url is directly used in server-side HTTP requests without any form of allowlisting or private IP address blocking mechanisms that would normally prevent access to internal resources. This design flaw aligns with CWE-918, which describes Server-Side Request Forgery vulnerabilities where applications fail to properly validate and restrict external resource access. The vulnerability enables an attacker to potentially access internal services running on private network addresses, cloud provider metadata endpoints, or other sensitive internal resources that should normally be isolated from external access.
The operational impact of this vulnerability extends beyond simple information disclosure as it provides attackers with the ability to map internal network topology, discover running services, and potentially exploit other vulnerabilities within the internal infrastructure. Attackers can leverage this flaw to access cloud provider metadata services such as AWS EC2 metadata endpoints, Azure Instance Metadata Service, or similar platform-specific endpoints that contain sensitive configuration data, authentication tokens, or instance information. This capability significantly increases the attack surface for organizations using Coolify and can lead to privilege escalation, lateral movement, or complete system compromise depending on what internal resources are accessible through the affected network paths.
Security controls and mitigation strategies should address this vulnerability at multiple levels following established cybersecurity frameworks such as those outlined in the MITRE ATT&CK framework where this would be categorized under T1566.002 for Server-side Request Forgery. Organizations should implement strict URL validation mechanisms that prevent access to private IP ranges and localhost addresses, establish proper network segmentation between internal services and application servers, and deploy web application firewalls with appropriate rules to block suspicious HTTP requests. Additionally, the fix implemented in version 4.0.0-beta.471 should include comprehensive input sanitization, allowlisting of approved endpoints, and the implementation of private IP blocking mechanisms to prevent access to internal network resources from external-facing applications.
The vulnerability demonstrates the critical importance of secure coding practices around URL handling and HTTP request management in web applications, particularly those that integrate with third-party services. It highlights how seemingly innocuous configuration fields can become attack vectors when proper input validation and network access controls are not implemented. This issue serves as a reminder that applications must never trust user-provided URLs without proper sanitization and that all external resource access should be carefully controlled to prevent unauthorized access to internal systems. The remediation approach should include thorough code reviews, automated security testing of URL handling functions, and comprehensive penetration testing to identify similar vulnerabilities across the application's attack surface.