CVE-2026-41896
Received Received - Intake

HMAC Signature Bypass in Coolify

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the HMAC key is the application's manual_webhook_secret_github field, which is used by Coolify's webhook endpoints to validate incoming requests, is nullable with no default β€” meaning newly created applications have a null webhook secret. PHP's hash_hmac() function silently coerces a null key to an empty string ''. So when the secret is null, the server computes hash_hmac('sha256', $payload, '') β€” a deterministic value that any attacker can calculate independently. By sending X-Hub-Signature-256: sha256=<hash_hmac('sha256', payload, '')>, an unauthenticated attacker can forge a valid signature and trigger deployments. This vulnerability is fixed in 4.0.0-beta.474.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-41896

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coolify coolify to 4.0.0-beta.474 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Coolify versions prior to 4.0.0-beta.474. Coolify uses a field called manual_webhook_secret_github as an HMAC key to validate incoming webhook requests. However, this field is nullable and has no default value, meaning new applications can have a null webhook secret. In PHP, when the hash_hmac() function receives a null key, it treats it as an empty string. As a result, the server computes a deterministic HMAC hash using an empty string as the key. An attacker can independently calculate this hash and forge a valid signature, allowing them to send unauthorized webhook requests that trigger deployments.

Impact Analysis

An unauthenticated attacker can exploit this vulnerability to forge valid webhook signatures and trigger deployments on the affected Coolify server. This means the attacker can potentially deploy malicious code or make unauthorized changes to your applications or servers managed by Coolify.

Detection Guidance

This vulnerability can be detected by checking if your Coolify installation is running a version prior to 4.0.0-beta.474 and if the manual_webhook_secret_github field is null or empty. Since the vulnerability involves the webhook secret being null, an attacker can forge valid webhook signatures.

To detect exploitation attempts on your system, you can monitor incoming webhook requests for the presence of the X-Hub-Signature-256 header with signatures that match the hash_hmac('sha256', payload, '') pattern, which means the HMAC key is empty.

Specific commands are not provided in the available information.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Coolify to version 4.0.0-beta.474 or later, where the issue with the nullable webhook secret has been fixed.

Additionally, ensure that the manual_webhook_secret_github field is set to a non-null, secure secret value to prevent attackers from forging webhook signatures.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41896. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart