CVE-2026-34171 in Coolifyinfo

Summary

by MITRE • 07/07/2026

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GET /invitations/{uuid} endpoint can perform a state-changing password reset using an attacker-known invitation UUID, allowing an attacker who can cause a victim to visit the crafted invitation URL to reset the victim account password to a predictable value. This issue is fixed in version 4.0.0-beta.471.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability identified in Coolify versions prior to 4.0.0-beta.471 represents a critical security flaw in the application's invitation and password reset mechanism that enables unauthorized account takeovers through social engineering attacks. This weakness specifically affects the GET /invitations/{uuid} endpoint which was designed to handle invitation requests but inadvertently allowed malicious actors to manipulate the password reset process using known invitation UUIDs. The vulnerability stems from insufficient validation of the invitation state during the password reset flow, creating a path for attackers to bypass normal authentication requirements and directly reset victim accounts to predetermined passwords.

The technical implementation of this flaw demonstrates poor input validation and inadequate access control mechanisms within the application's authorization framework. When an attacker crafts a URL containing a valid invitation UUID and successfully induces a victim to visit this crafted endpoint, the system processes the request without proper verification of the invitation's current state or the requester's authorization level. This design flaw allows the password reset operation to proceed regardless of whether the invitation is still active, has been previously used, or if legitimate user consent was obtained. The vulnerability essentially transforms a controlled invitation-based access mechanism into an unrestricted password reset vector, enabling attackers to gain unauthorized control over victim accounts.

From an operational perspective, this vulnerability creates significant risk for organizations using Coolify as their self-hosted management platform. The attack requires only that a victim click on a maliciously crafted URL, making it particularly dangerous in phishing campaigns or when users are induced to visit compromised websites. The predictable nature of the reset password value means attackers can immediately gain access to victim accounts without needing additional credentials or complex exploitation techniques. This creates a direct pathway for data exfiltration, privilege escalation, and potential lateral movement within networks where Coolify is deployed as a central management tool.

The vulnerability aligns with CWE-642 (External Control of Resource Identifier) and represents a classic example of insecure direct object reference in the context of invitation-based systems. It also maps to ATT&CK technique T1531 (Account Access Removal) and T1078 (Valid Accounts) as attackers can leverage this flaw to assume legitimate user identities without detection. Organizations should immediately implement the patch available in version 4.0.0-beta.471 which addresses the improper state validation and access control checks in the invitation handling endpoint. Additional mitigations include implementing proper input sanitization, adding rate limiting to password reset requests, and conducting security reviews of all endpoints that handle invitation-based authentication flows.

Organizations currently running vulnerable versions should perform immediate risk assessment to identify any potential exploitation attempts and consider implementing network monitoring to detect suspicious access patterns to the affected endpoint. The fix in version 4.0.0-beta.471 likely includes enhanced validation of invitation state, proper authorization checks before allowing password reset operations, and potentially additional logging mechanisms to track invitation usage. Security teams should also review their incident response procedures to ensure they can quickly identify and respond to similar vulnerabilities that may exist in other components of their self-hosted infrastructure management systems.

Responsible

GitHub M

Reservation

03/25/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!