CVE-2025-64423
Unknown Unknown - Not Provided
Privilege Escalation via Invitation Link Disclosure in Coolify

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: GitHub, Inc.

Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipient does, they are able to log in as an administrator, meaning they have successfully escalated their privileges. As of time of publication, it is unclear if a patch is available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64423
EUVD
EUVD-2025-206231
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.434 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-64423 is a high-severity privilege escalation vulnerability in Coolify versions up to and including v4.0.0-beta.434. It allows a low privileged user (member) to see and use administrator invitation links that were intended for admins. If the low privileged user uses the invitation link before the legitimate admin recipient, they can log in as an administrator, effectively escalating their privileges without needing additional user interaction. [1]

Impact Analysis

This vulnerability can lead to unauthorized administrative access by low privileged users, resulting in a full compromise of the system's confidentiality, integrity, and availability. Attackers can gain control over sensitive information, alter system settings, and disrupt services, posing a significant security risk. [1]

Mitigation Strategies

Since no patched versions are available at the time of reporting, immediate mitigation steps include restricting access to invitation links, monitoring for unauthorized use of admin invitation links by low privileged users, and limiting the distribution of such links only to trusted administrators. Additionally, consider auditing user privileges and invitation link usage to detect potential exploitation attempts. [1]

Compliance Impact

The vulnerability allows unauthorized privilege escalation to administrator level, leading to potential unauthorized access to sensitive information and system controls. This could result in non-compliance with standards and regulations such as GDPR and HIPAA, which require strict access controls and protection of sensitive data. However, no specific compliance impacts are detailed in the provided resources. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64423. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart