CVE-2026-41899 in coolify
Summary
by MITRE • 07/07/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, POST /api/feedback has no authentication, no rate limiting, and no input validation, allowing arbitrary content to be forwarded directly to a Discord webhook and enabling spam, content injection, and webhook abuse. This issue is fixed in version 4.0.0-beta.474.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability in Coolify versions prior to 4.0.0-beta.474 represents a critical security flaw that undermines the integrity of the application's feedback submission mechanism. This weakness resides in the POST /api/feedback endpoint which lacks fundamental security controls including authentication requirements, rate limiting mechanisms, and input validation protocols. The absence of these protective measures creates a pathway for malicious actors to exploit the system by sending arbitrary content directly to configured Discord webhooks without any authorization checks or usage restrictions.
From a technical perspective, this vulnerability enables unauthorized users to abuse the feedback functionality as a vector for spam attacks and content injection. The lack of input validation means that attackers can craft malicious payloads that get forwarded unchanged to Discord webhooks, potentially leading to spam messages, phishing attempts, or even the exfiltration of sensitive information through webhook configurations. The absence of rate limiting allows for rapid-fire submissions that could overwhelm webhook endpoints or consume excessive resources. This vulnerability aligns with CWE-346 known as "Origin Validation Error" and represents a classic case of insufficient input validation combined with inadequate access controls.
The operational impact of this vulnerability extends beyond simple spamming, as it creates opportunities for more sophisticated attacks through webhook abuse. An attacker could potentially use this functionality to send malicious payloads to Discord channels, conduct social engineering campaigns, or even establish persistent communication channels with compromised systems. The attack surface is particularly concerning given that Coolify is designed for self-hosting environments where users may have less oversight over their infrastructure security compared to enterprise deployments.
Mitigation strategies should focus on implementing proper authentication requirements for all API endpoints, establishing robust rate limiting policies to prevent abuse, and enforcing comprehensive input validation to sanitize all user-supplied data before processing. The fix implemented in version 4.0.0-beta.474 addresses these fundamental security gaps by adding the necessary controls to protect against unauthorized access and abuse of the feedback system. Organizations using older versions should immediately apply the patch and review their webhook configurations for any unauthorized modifications or suspicious activity that may have occurred during the vulnerability window. This remediation aligns with ATT&CK technique T1566 which covers social engineering through phishing, as well as techniques related to command and control communications through webhook abuse.