CVE-2026-42147
Received Received - Intake

SSRF via S3 Endpoint Validation in Coolify

Vulnerability report for CVE-2026-42147, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, S3 storage endpoint validation only checks URL format and testConnection() sends a server-side request to the configured endpoint, allowing an authenticated user with storage management permissions to make Coolify request internal or metadata-service URLs. This issue is fixed in version 4.0.0-beta.474.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.474 (inc)
coollabsio coolify to 4.0.0-beta.474 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-42147 is a Server-Side Request Forgery (SSRF) vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The issue occurs in the S3 Storage functionality where the system only validates the format of the S3 storage endpoint URL but does not verify whether the URL points to internal or private network addresses.

Because of this, an authenticated user with storage management permissions can configure an S3 endpoint that points to internal services or metadata URLs. When the system tests the connection to this endpoint, it sends a server-side HTTP request to the specified URL, potentially allowing the attacker to interact with internal services or access sensitive metadata.

This vulnerability is fixed in version 4.0.0-beta.474 by adding strict validation to block unsafe endpoints, including private IPs and internal hostnames.

Impact Analysis

This vulnerability can have several impacts if exploited by an authenticated attacker with storage management permissions:

  • The attacker can make the server send requests to internal or metadata service URLs, such as AWS Instance Metadata Service (IMDS), potentially stealing IAM credentials.
  • It allows probing and interacting with internal network services like Redis or PostgreSQL, which may not be otherwise accessible.
  • It can lead to error-based information disclosure about internal services, revealing sensitive information.

Overall, this can lead to unauthorized access to sensitive internal resources and credentials, increasing the risk of further compromise.

Detection Guidance

This vulnerability can be detected by monitoring for attempts to create or update S3 Storage configurations with internal or private network endpoints, especially when the "Test Connection" feature is used.

Since the vulnerability involves server-side requests to user-controlled endpoints, detection can include checking logs for HTTP GET requests sent from the Coolify server to internal IP addresses or metadata service URLs such as 169.254.169.254 or localhost.

Suggested commands to detect suspicious activity include:

  • Review application logs for requests to internal IPs or metadata service URLs.
  • Use network monitoring tools (e.g., tcpdump, Wireshark) on the server hosting Coolify to capture outbound HTTP requests to private IP ranges or localhost.
  • Example tcpdump command to capture HTTP requests to private IP ranges: tcpdump -i eth0 dst net 169.254.0.0/16 or dst net 127.0.0.0/8 or dst net 10.0.0.0/8 or dst net 192.168.0.0/16
  • Check for usage of the "Test Connection" feature in the Coolify UI or API that triggers requests to suspicious endpoints.
Mitigation Strategies

The immediate mitigation step is to upgrade Coolify to version 4.0.0-beta.474 or later, where the vulnerability is fixed by enforcing strict validation of S3 storage endpoints.

If upgrading is not immediately possible, restrict access to the Coolify application to trusted users only, as exploitation requires authenticated users with storage management permissions.

Additionally, consider network-level controls to block outbound HTTP requests from the Coolify server to internal IP ranges and metadata service endpoints.

Review and audit existing S3 Storage configurations to ensure no internal or private network endpoints are configured.

Compliance Impact

The vulnerability CVE-2026-42147 is a Server-Side Request Forgery (SSRF) issue that allows an authenticated user with storage management permissions to make the Coolify server send requests to internal or metadata-service URLs. This can lead to theft of cloud metadata service credentials, internal service discovery, and interaction with internal services.

Such unauthorized access to internal services and sensitive metadata could potentially lead to exposure of sensitive data or unauthorized access to protected resources, which may impact compliance with data protection regulations like GDPR or HIPAA. Specifically, if internal credentials or sensitive information are leaked, it could violate requirements for data confidentiality and integrity.

However, the provided information does not explicitly state the direct impact on compliance with these standards or any regulatory consequences.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42147. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart