CVE-2026-42145
Received Received - Intake

Unauthenticated File Upload in Coolify

Vulnerability report for CVE-2026-42145, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the file upload endpoint (app/Http/Controllers/UploadController.php) for database backup restore uploads did not enforce file type or size validation, allowing an authenticated user to upload unexpected or oversized files that could affect service availability. This issue is fixed in version 4.0.0-beta.474.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.474 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-42145 is a vulnerability in Coolify versions before 4.0.0-beta.474 affecting the file upload endpoint used for database backup restoration. The issue is that the application did not validate the type or size of files uploaded by authenticated users, allowing them to upload unexpected or oversized files.

Because there was no restriction on file types, attackers could upload arbitrary files, including potentially executable scripts like PHP files. The filename generation was predictable, which could allow attackers to locate and possibly execute these files later.

This vulnerability could lead to service disruption by exhausting disk space through large or numerous uploads, and potentially remote code execution if malicious files are processed.

Impact Analysis

This vulnerability can impact you by allowing an authenticated user with database management permissions to upload arbitrary or oversized files, which can fill up the server's disk space and degrade or disrupt service availability.

Additionally, if malicious files such as executable scripts are uploaded and later processed, it could lead to remote code execution, compromising the security and integrity of your system.

Detection Guidance

This vulnerability involves the ability of an authenticated user to upload unexpected or oversized files through the database backup upload endpoint without proper file type or size validation.

To detect exploitation attempts or presence of this vulnerability on your system, you can monitor for unusual or large file uploads to the backup upload endpoint, especially files with unexpected extensions such as .php or other executable formats.

Since the filename generation was predictable using md5(time()), you can also check for files with names matching this pattern in the storage location.

Suggested commands to detect suspicious files or uploads include:

  • Use find to locate large files or unexpected file types in the upload directory, for example: `find /path/to/uploads -type f \( -name '*.php' -o -size +100M \)`
  • Check web server or application logs for POST requests to the upload endpoint (e.g., `/app/Http/Controllers/UploadController.php`) with large payloads or unusual file extensions.
  • Use grep or similar tools to search logs for upload attempts: `grep 'POST /upload' /var/log/nginx/access.log | grep -E '\.php|\.exe'`
  • Monitor disk usage to detect abnormal growth that could indicate disk exhaustion attacks: `du -sh /path/to/uploads` or `df -h`
Mitigation Strategies

The primary mitigation is to upgrade Coolify to version 4.0.0-beta.474 or later, where this vulnerability is fixed by enforcing file type and size validation on database backup uploads.

If upgrading immediately is not possible, consider the following interim steps:

  • Restrict access to the database backup upload endpoint to only trusted and authenticated users with necessary permissions.
  • Manually monitor and remove any unexpected or oversized files in the upload storage to prevent disk exhaustion.
  • Implement network-level controls such as web application firewall (WAF) rules to block uploads with disallowed file extensions or large payloads.
  • Review and tighten authentication and authorization policies to limit who can perform database backup uploads.
Compliance Impact

The vulnerability in Coolify prior to version 4.0.0-beta.474 allows authenticated users to upload arbitrary or oversized files without validation, which can lead to service availability issues such as disk space exhaustion and potential remote code execution.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the impact on service availability (denial of service) could indirectly affect compliance requirements related to system availability and integrity.

However, there is no direct information provided about data confidentiality or privacy breaches that would more directly impact regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42145. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart