CVE-2026-42172
Received Received - Intake

Session Token Persistence in Coolify Prior to 4.0.0-beta.474

Vulnerability report for CVE-2026-42172, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain access indefinitely until manually revoked. This issue is fixed in version 4.0.0-beta.474.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.474 (exc)
coollabsio coolify From 4.0.0-beta.474 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-42172 is a security vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The issue is that Sanctum API tokens did not have an expiration date prior to version 4.0.0-beta.474, meaning if a token was leaked, it could be used indefinitely without being revoked.

The root cause was the configuration setting 'expiration' => null in the Sanctum configuration, which caused tokens to never expire even if user passwords were changed.

This flaw allowed attackers who obtained a leaked token to maintain permanent access to sensitive data such as SSH private keys, environment variables, and other confidential information until the token was manually revoked.

The vulnerability was fixed in version 4.0.0-beta.474 by introducing token expiration and rotation mechanisms.

Impact Analysis

If you are using a vulnerable version of Coolify, a leaked Sanctum API token could allow an attacker to gain indefinite access to your system without needing to re-authenticate.

This could lead to unauthorized access to sensitive information such as SSH private keys and environment variables, potentially compromising the confidentiality and integrity of your data.

Because tokens never expire, attackers could maintain persistent access until the token is manually revoked, increasing the risk and impact of a breach.

Detection Guidance

This vulnerability involves Sanctum API tokens in Coolify that do not expire, allowing leaked tokens to retain indefinite access. Detection involves identifying API tokens without expiration dates or tokens that have been issued prior to the patch version 4.0.0-beta.474.

Since the vulnerability is related to token expiration configuration, you can check the token expiration settings in the Coolify configuration file (config/sanctum.php) to see if 'expiration' is set to null.

Additionally, you can audit active API tokens in your Coolify instance to find tokens without expiration dates or tokens that have been active for an unusually long time.

Specific commands are not provided in the resources, but general approaches include:

  • Review the sanctum.php configuration file for the 'expiration' setting.
  • Use Coolify's API token management UI or database queries to list tokens and check their expiration status.
  • Monitor logs or network traffic for API token usage patterns that indicate long-lived tokens.
Mitigation Strategies

To mitigate this vulnerability, immediately upgrade Coolify to version 4.0.0-beta.474 or later, where the issue is fixed by introducing expiration support for Sanctum API tokens.

Configure a reasonable expiration period for API tokens, such as 90 days, to ensure tokens do not remain valid indefinitely.

Implement token rotation mechanisms and enable the scheduled pruning job that automatically removes expired tokens.

Enable and monitor the notification system that warns team members about tokens expiring within 24 hours, allowing proactive token management.

  • Upgrade Coolify to version 4.0.0-beta.474 or later.
  • Set token expiration periods in the configuration or during token creation.
  • Use the new scheduled jobs to prune expired tokens and send expiration warnings.
  • Review and revoke any existing tokens that do not have expiration dates.
Compliance Impact

The vulnerability in Coolify prior to version 4.0.0-beta.474 allowed Sanctum API tokens to never expire, which means that if a token was leaked, it could provide indefinite access to sensitive data such as SSH private keys and environment variables. This indefinite access could lead to unauthorized data exposure or breaches, potentially violating compliance requirements under standards like GDPR or HIPAA that mandate strict access controls and timely revocation of credentials.

By not having token expiration, the risk of prolonged unauthorized access increases, which can impact confidentiality and integrity of sensitive information, key aspects of many regulatory frameworks.

The fix introduced in version 4.0.0-beta.474 adds optional expiration for API tokens, automated pruning of expired tokens, and advance notifications for token expiration. These improvements help enforce better access control and reduce the risk of long-term unauthorized access, thereby supporting compliance with common security standards and regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42172. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart