CVE-2026-34198
Received Received - Intake

TrustProxies Misconfiguration Enables Host Header Attack in Coolify

Vulnerability report for CVE-2026-34198, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the TrustProxies middleware trusts all proxies ($proxies = '*'), accepting X-Forwarded-Host from any source. The TrustHosts middleware, intended to prevent host header attacks, has a circular caching dependency that prevents it from ever validating hosts. When a password reset is requested, the ResetPassword notification generates the reset URL using url(route(..., false)), which derives the host from the (spoofable) request. An unauthenticated attacker can trigger a password reset email containing a link pointing to an attacker-controlled domain, enabling token theft and account takeover. This issue is fixed in version 4.0.0-beta.471.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.471 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
CWE-346 The product does not properly verify that the source of data or communication is valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-34198 is a vulnerability in Coolify versions prior to 4.0.0-beta.471 where the application improperly trusts all proxies and fails to validate host headers correctly. Specifically, the TrustProxies middleware accepts the X-Forwarded-Host header from any source, and the TrustHosts middleware has a caching bug that prevents it from validating hosts. When a password reset is requested, the reset URL is generated using the host derived from the spoofable request headers. This allows an unauthenticated attacker to send a password reset email containing a link pointing to an attacker-controlled domain.

If a victim clicks the malicious link, the attacker can steal the password reset token and potentially take over the victim's account. The vulnerability arises from relying on request-derived host headers instead of server-side configuration for generating reset URLs.

Mitigation Strategies

Immediate mitigation steps include upgrading Coolify to version 4.0.0-beta.471 or later, where the vulnerability is fixed.

  • Apply the patch that changes password reset URL generation to use server-side configuration (such as APP_URL or base_url()) instead of relying on spoofable request headers.
  • Restrict the TrustProxies middleware to only trust known proxy IP addresses instead of trusting all proxies.
  • Configure your reverse proxy (e.g., Traefik) to restrict or sanitize forwarded headers like X-Forwarded-Host to prevent header injection.
  • Ensure the TrustHosts middleware is properly validating Host and X-Forwarded-Host headers against a whitelist of trusted hosts.
  • Queue password reset notifications to reduce the risk of automated exploitation.

These steps collectively prevent attackers from poisoning password reset links and protect against account takeover.

Impact Analysis

This vulnerability can lead to account takeover by allowing attackers to send password reset emails with links pointing to attacker-controlled domains. If a user clicks such a link, the attacker can capture the reset token and email, enabling them to reset the victim's password and gain unauthorized access to their account.

The impact includes potential full account compromise, unauthorized server access, and data theft. The attack requires no privileges and can be executed by an unauthenticated attacker, making it a significant security risk.

Compliance Impact

The vulnerability in Coolify allows an unauthenticated attacker to send password reset emails containing links to attacker-controlled domains, enabling token theft and account takeover. This can lead to unauthorized access to user accounts and potentially sensitive data.

Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information and mandate controls to prevent unauthorized access.

By allowing attackers to hijack password reset tokens, the vulnerability increases the risk of data exposure and compromise, which may result in violations of data protection requirements and lead to legal and regulatory consequences.

Detection Guidance

Detection of this vulnerability involves checking if the Coolify application is using a vulnerable version prior to 4.0.0-beta.471 and if it improperly trusts all proxies and accepts X-Forwarded-Host headers from any source.

You can monitor network traffic for suspicious password reset emails containing links with unexpected or attacker-controlled domains, which may indicate exploitation attempts.

On the system, you can verify the Coolify version by running commands like:

  • Check the installed Coolify version: `coolify --version` or check the version in your deployment configuration files.
  • Inspect logs for password reset requests and verify if reset URLs contain unexpected hostnames.

Additionally, you can use network packet capture tools (e.g., tcpdump or Wireshark) to filter HTTP headers for suspicious X-Forwarded-Host values:

  • Example tcpdump command to capture HTTP headers containing X-Forwarded-Host: `tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep X-Forwarded-Host`

However, no specific detection commands are provided in the available resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34198. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart