CVE-2025-64421
Unknown Unknown - Not Provided
Privilege Escalation via Invitation Bypass in Coolify v4.0.0-beta

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: GitHub, Inc.

Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can invite a high privileged user. At first, the application will throw an error, but if the attacker clicks the invite button a second time, it actually works. This way, a low privileged user can invite themselves as an administrator to the Coolify instance. After the high privileged user is invited, the attacker can initiate a password reset and log in with the new admin. As of time of publication, it is unclear if a patch is available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64421
EUVD
EUVD-2025-206239
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.434 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-64421 is a high-severity privilege escalation vulnerability in Coolify versions up to v4.0.0-beta.434. A low privileged user (member) can exploit a flaw in the invitation process to invite themselves as an administrator. Although the application initially throws an error when a member tries to invite a new admin, clicking the invite button a second time succeeds, granting admin privileges. The attacker can then reset the password for the new admin account and gain full administrative access to the system. [1]

Impact Analysis

This vulnerability allows an attacker with low privileged access to escalate their privileges to administrator level, leading to a full compromise of the system. The attacker can gain unauthorized administrative control, impacting the confidentiality, integrity, and availability of the system's data and operations. This can result in unauthorized access, data breaches, and potential disruption of services. [1]

Detection Guidance

Detection can focus on monitoring the /team/members endpoint for repeated invite attempts by low privileged users. Specifically, look for multiple invite requests from the same member user, especially repeated clicks on the invite button. Network traffic analysis or application logs can be inspected for such patterns. However, no specific commands are provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include restricting member-level users from accessing the invite functionality or monitoring and blocking repeated invite attempts. Since no patch is available at the time of reporting, administrators should consider limiting member privileges or disabling the invite feature temporarily to prevent privilege escalation. Additionally, monitoring for suspicious password reset requests for newly invited admin accounts is advised. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64421. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart