CVE-2025-64423
Privilege Escalation via Invitation Link Disclosure in Coolify
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coollabsio | coolify | to 4.0.0-beta.434 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-64423 is a high-severity privilege escalation vulnerability in Coolify versions up to and including v4.0.0-beta.434. It allows a low privileged user (member) to see and use administrator invitation links that were intended for admins. If the low privileged user uses the invitation link before the legitimate admin recipient, they can log in as an administrator, effectively escalating their privileges without needing additional user interaction. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized administrative access by low privileged users, resulting in a full compromise of the system's confidentiality, integrity, and availability. Attackers can gain control over sensitive information, alter system settings, and disrupt services, posing a significant security risk. [1]
What immediate steps should I take to mitigate this vulnerability?
Since no patched versions are available at the time of reporting, immediate mitigation steps include restricting access to invitation links, monitoring for unauthorized use of admin invitation links by low privileged users, and limiting the distribution of such links only to trusted administrators. Additionally, consider auditing user privileges and invitation link usage to detect potential exploitation attempts. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized privilege escalation to administrator level, leading to potential unauthorized access to sensitive information and system controls. This could result in non-compliance with standards and regulations such as GDPR and HIPAA, which require strict access controls and protection of sensitive data. However, no specific compliance impacts are detailed in the provided resources. [1]