CVE-2025-64423
Unknown Unknown - Not Provided

Privilege Escalation via Invitation Link Disclosure in Coolify

Vulnerability report for CVE-2025-64423, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipient does, they are able to log in as an administrator, meaning they have successfully escalated their privileges. As of time of publication, it is unclear if a patch is available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-07-06
AI Q&A
2026-01-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.434 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-64423 is a high-severity privilege escalation vulnerability in Coolify versions up to and including v4.0.0-beta.434. It allows a low privileged user (member) to see and use administrator invitation links that were intended for admins. If the low privileged user uses the invitation link before the legitimate admin recipient, they can log in as an administrator, effectively escalating their privileges without needing additional user interaction. [1]

Impact Analysis

This vulnerability can lead to unauthorized administrative access by low privileged users, resulting in a full compromise of the system's confidentiality, integrity, and availability. Attackers can gain control over sensitive information, alter system settings, and disrupt services, posing a significant security risk. [1]

Mitigation Strategies

Since no patched versions are available at the time of reporting, immediate mitigation steps include restricting access to invitation links, monitoring for unauthorized use of admin invitation links by low privileged users, and limiting the distribution of such links only to trusted administrators. Additionally, consider auditing user privileges and invitation link usage to detect potential exploitation attempts. [1]

Compliance Impact

The vulnerability allows unauthorized privilege escalation to administrator level, leading to potential unauthorized access to sensitive information and system controls. This could result in non-compliance with standards and regulations such as GDPR and HIPAA, which require strict access controls and protection of sensitive data. However, no specific compliance impacts are detailed in the provided resources. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64423. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart