CVE-2026-27882
Received Received - Intake

Timing Attack in Coolify Webhook Secret Validation

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.461, the GitLab webhook endpoint uses a non-constant-time string comparison operator (!==) to validate the webhook secret token. This implementation is vulnerable to timing attacks, which could allow an attacker to gradually discover the secret token by measuring response time differences. This vulnerability is fixed in 4.0.0-beta.461.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-27882
EUVD
EUVD-2026-40328

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.461 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

An attacker exploiting this vulnerability can gradually discover the secret webhook token used by Coolify's GitLab webhook endpoint.

With the secret token, the attacker can perform unauthorized actions such as triggering deployments or injecting malicious code into your server or applications.

The attack requires many requests and stable network conditions, making it complex, but the confidentiality impact is high because the secret token can be disclosed.

Executive Summary

CVE-2026-27882 is a timing attack vulnerability in the GitLab webhook token validation of Coolify versions 4.0.0-beta.460 and earlier.

The issue arises because the webhook secret token is validated using a non-constant-time string comparison operator (`!==`). This allows attackers to exploit differences in response times to gradually discover the secret token.

By measuring how long the system takes to respond to requests with different tokens, an attacker can statistically determine each character of the secret token.

This vulnerability is fixed in version 4.0.0-beta.461 by replacing the vulnerable comparison with PHP's `hash_equals()` function, which performs constant-time comparisons and prevents timing side-channel attacks.

Detection Guidance

This vulnerability can be detected by observing timing differences in responses from the GitLab webhook endpoint when sending requests with varying secret tokens. An attacker can measure response times to statistically infer the secret token character by character.

To detect this on your system, you could perform timing analysis by sending multiple webhook requests with different token guesses and measuring the response times to see if there is a correlation between token correctness and response delay.

While no specific commands are provided, a typical approach involves using tools like curl or custom scripts to send repeated requests and measure response times precisely. For example, using curl in a loop with different token values and recording response times could help identify timing discrepancies.

Mitigation Strategies

The immediate mitigation step is to upgrade Coolify to version 4.0.0-beta.461 or later, where the vulnerability is fixed.

The fix involves replacing the non-constant-time string comparison operator (`!==`) with PHP's `hash_equals()` function in the GitLab webhook token validation code. This change ensures constant-time comparison and prevents timing attacks.

Compliance Impact

The vulnerability allows an attacker to gradually discover the secret webhook token through timing attacks, potentially enabling unauthorized actions such as triggering deployments or injecting malicious code.

Disclosure or misuse of secret tokens could lead to unauthorized access or data manipulation, which may impact the confidentiality and integrity of systems.

Such unauthorized access or data breaches could have implications for compliance with standards and regulations like GDPR or HIPAA, which require protection of sensitive data and secure access controls.

However, the provided information does not explicitly detail the direct impact on compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27882. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart