CVE-2026-34171
Received Received - Intake

Password Reset via Predictable Invitation UUID in Coolify

Vulnerability report for CVE-2026-34171, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GET /invitations/{uuid} endpoint can perform a state-changing password reset using an attacker-known invitation UUID, allowing an attacker who can cause a victim to visit the crafted invitation URL to reset the victim account password to a predictable value. This issue is fixed in version 4.0.0-beta.471.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.471 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to reset a victim's password to a known value and gain full access to the victim's account, including all servers, applications, and secrets managed by Coolify.

Such unauthorized access and account takeover can lead to exposure or compromise of sensitive personal data or protected health information, which may violate data protection regulations like GDPR or HIPAA.

Therefore, the vulnerability poses a significant risk to compliance with these standards by potentially enabling unauthorized data access and failing to maintain adequate security controls.

Executive Summary

CVE-2026-34171 is a high-severity vulnerability in Coolify versions prior to 4.0.0-beta.471. It involves a Cross-Site Request Forgery (CSRF) flaw in the GET /invitations/{uuid} endpoint, which allows an attacker to reset a victim's password to a predictable value.

The vulnerability occurs because the endpoint performs a state-changing password reset when the reset-password query parameter is present in a GET request. Since GET requests lack CSRF protection, an attacker who can trick a logged-in victim into visiting a crafted invitation URL with ?reset-password=1 can silently reset the victim's password to the invitation UUID, a value known to the attacker.

After the password reset, the victim is added to the attacker's team, and the attacker can log in using the known password, gaining full access to the victim's account, including servers, applications, and secrets.

Impact Analysis

This vulnerability can lead to a full account takeover by an attacker. If exploited, the attacker can reset your account password to a known value without your consent.

Once the attacker gains access, they can access all your servers, applications, and secrets managed through Coolify, potentially leading to data breaches, service disruptions, and unauthorized control over your infrastructure.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious GET requests to the /invitations/{uuid} endpoint that include the reset-password query parameter. Such requests indicate attempts to exploit the password reset flaw.

You can search your web server logs or network traffic for URLs matching the pattern: /invitations/{uuid}?reset-password=1

  • Using grep on server logs: grep "/invitations/.*\?reset-password=1" /path/to/access.log
  • Using tcpdump or Wireshark to filter HTTP GET requests containing "reset-password=1" in the URL.

Additionally, audit your application routes to confirm if any GET endpoints perform state-changing operations, which is a security risk.

Mitigation Strategies

The immediate mitigation step is to upgrade Coolify to version 4.0.0-beta.471 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, restrict access to the /invitations/{uuid} endpoint to trusted users only and monitor for suspicious requests.

Avoid using GET requests for state-changing operations such as password resets. The vulnerable functionality should be converted to a POST request with proper CSRF protection.

Remove or disable the reset-password query parameter from the invitation acceptance endpoint to prevent exploitation.

Audit all GET endpoints in your application to ensure none perform state-changing actions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34171. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart