CVE-2026-42147 in Coolifyinfo

Summary

by MITRE • 07/07/2026

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, S3 storage endpoint validation only checks URL format and testConnection() sends a server-side request to the configured endpoint, allowing an authenticated user with storage management permissions to make Coolify request internal or metadata-service URLs. This issue is fixed in version 4.0.0-beta.474.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability in Coolify versions prior to 4.0.0-beta.474 represents a critical server-side request forgery (SSRF) flaw that undermines the application's security boundaries and allows authenticated users to make unauthorized requests to internal network resources. This issue specifically affects the S3 storage endpoint validation mechanism, which only performs superficial URL format validation without proper sanitization or access control enforcement. The flaw stems from insufficient input validation in the testConnection() method that processes user-provided S3 endpoint configurations, creating an attack vector where malicious actors can manipulate the system to communicate with internal services such as metadata services, internal APIs, or other sensitive endpoints within the network infrastructure.

The technical implementation of this vulnerability involves the application's failure to properly validate and sanitize S3 endpoint URLs before executing server-side requests. When an authenticated user with storage management permissions configures an S3 endpoint, the system performs a basic URL format check but does not implement comprehensive validation to prevent access to internal resources. The testConnection() function executes server-side requests without proper boundary enforcement, allowing attackers to specify endpoints that resolve to internal services such as AWS metadata service endpoints (http://169.254.169.254) or other internal network addresses. This design flaw enables attackers to leverage the application's legitimate network access capabilities to probe internal systems, potentially extracting sensitive information, bypassing network security controls, or even escalating privileges through information disclosure attacks.

The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with potential access to critical internal services and resources that should remain isolated from external or unauthorized access. An attacker could exploit this vulnerability to enumerate internal services, gather system information, access sensitive metadata, or potentially gain access to other internal systems that are not directly exposed to the internet. The vulnerability affects any authenticated user who possesses storage management permissions, which may include administrators or authorized personnel with elevated privileges within the Coolify environment. This creates a significant risk for organizations that rely on Coolify for server management and application deployment, as it could enable lateral movement attacks or information gathering activities that compromise the overall security posture of the infrastructure.

Security controls and standards such as CWE-918 Server-Side Request Forgery (SSRF) and ATT&CK technique T1071.004 Application Layer Protocol: DNS provide relevant context for understanding this vulnerability. The flaw directly correlates with CWE-918's definition of SSRF attacks where applications make unintended server-side requests to internal resources, and aligns with ATT&CK's categorization of application layer protocol abuse as a method for reconnaissance and privilege escalation. Organizations should implement strict endpoint validation mechanisms that enforce proper URL sanitization, utilize allowlists for acceptable endpoints, and ensure that all external requests are properly authenticated and authorized. The fix implemented in version 4.0.0-beta.474 addresses this issue by strengthening the S3 endpoint validation process to prevent access to internal network resources and metadata services, thereby restoring proper security boundaries within the Coolify application.

Mitigation strategies should include immediate deployment of the patched version 4.0.0-beta.474 or higher, along with comprehensive network segmentation and firewall rules that restrict direct access to internal services from the Coolify application servers. Organizations should also implement robust input validation controls that enforce strict URL format checking, utilize dedicated validation libraries for endpoint verification, and consider implementing network-based restrictions that prevent outbound connections to internal IP ranges or metadata service endpoints. Additionally, security monitoring should be enhanced to detect unusual outbound connection patterns or attempts to access internal resources through the Coolify application, providing early warning capabilities for potential exploitation of similar vulnerabilities in other components of the infrastructure stack.

Responsible

GitHub M

Reservation

04/24/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!