CVE-2026-34170
Received Received - Intake

Server-Side Request Forgery in Coolify Prior to 4.0.0-beta.471

Vulnerability report for CVE-2026-34170, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp api_url field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a GitHub App source that causes Coolify to request internal services or cloud metadata endpoints. This issue is reported as fixed in version 4.0.0-beta.471.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.471 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows an authenticated user to perform Server-Side Request Forgery (SSRF) attacks, potentially accessing internal services and cloud metadata endpoints. This could lead to unauthorized access to sensitive internal information.

Such unauthorized access and potential data leakage could impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and protection against unauthorized internal data exposure.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.

Executive Summary

CVE-2026-34170 is a Server-Side Request Forgery (SSRF) vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The issue exists in the GitHub App integration where the `api_url` field, which is user-controlled, is used as the base URL for server-side HTTP requests without proper validation or blocking of private/internal IP addresses.

Because of insufficient validation and disabled authorization checks, any authenticated user can configure the `api_url` to point to internal services or cloud metadata endpoints, causing Coolify to make unintended HTTP requests to these internal resources.

This vulnerability allows attackers to scan internal services, access cloud metadata, and potentially leak partial response data such as error messages.

Impact Analysis

This vulnerability can impact you by allowing an authenticated user to make Coolify send HTTP requests to internal or cloud metadata services that are normally inaccessible externally.

  • Internal service scanning, which could reveal information about internal network structure or services.
  • Access to cloud metadata endpoints, potentially exposing sensitive information such as credentials or configuration data.
  • Partial leakage of response data, including error messages, which might aid further attacks.

Overall, this could lead to information disclosure and increase the attack surface within your internal environment.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized server-side HTTP requests originating from Coolify to internal or cloud metadata endpoints. Specifically, look for requests to internal IP addresses such as 169.254.169.254 (cloud metadata) or 127.0.0.1 on uncommon ports.

You can also audit Coolify logs for calls to functions like updateGithubAppName(), generateGithubToken(), or githubApi() that use user-controlled api_url values.

Suggested commands include network monitoring tools or packet capture filters to detect outbound HTTP requests to private IP ranges from the Coolify server.

  • Use tcpdump or tshark to capture HTTP requests to internal IPs, e.g.: tcpdump -i eth0 dst net 169.254.0.0/16 or tcpdump -i eth0 dst net 127.0.0.0/8
  • Use curl or wget commands to test if the api_url field can be set to internal addresses and trigger requests.
  • Review application logs for any entries showing requests to internal or cloud metadata endpoints.
Mitigation Strategies

The immediate mitigation steps include upgrading Coolify to version 4.0.0-beta.471 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, restrict authenticated users from configuring GitHub App sources or limit their permissions to prevent exploitation.

Implement network-level controls to block Coolify servers from making HTTP requests to internal IP ranges or cloud metadata endpoints.

Review and harden URL validation in your deployment by adding strict validation rules that block private IP addresses and internal URLs.

Re-enable authorization checks on the GithubAppPolicy to prevent unauthorized creation or modification of GitHub App sources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34170. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart