Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64421

CVE-2025-64421: Coolify Privilege Escalation Vulnerability

CVE-2025-64421 is a privilege escalation flaw in Coolify that allows low-privileged users to invite themselves as administrators by exploiting an invite mechanism. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-64421 Overview

CVE-2025-64421 is a privilege escalation vulnerability affecting Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The vulnerability allows a low-privileged user (member) to bypass authorization controls and invite themselves as an administrator to the Coolify instance. While the application initially throws an error when a low-privileged user attempts to invite a high-privileged user, clicking the invite button a second time successfully bypasses this restriction. After successfully inviting a high-privileged account, an attacker can initiate a password reset and gain administrative access to the platform.

Critical Impact

Low-privileged users can escalate to administrative access, potentially gaining full control over the Coolify instance including all managed servers, applications, and databases.

Affected Products

  • Coolify versions up to and including v4.0.0-beta.434

Discovery Timeline

  • 2026-01-05 - CVE-2025-64421 published to NVD
  • 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-64421

Vulnerability Analysis

This vulnerability is classified as CWE-863 (Incorrect Authorization), indicating a fundamental flaw in how the application validates user permissions during the invitation workflow. The authorization bypass occurs due to a race condition or state management issue in the invitation logic.

The attack exploits a critical flaw in the invitation system where the initial authorization check properly rejects the request, but a subsequent identical request bypasses this validation. This suggests the error handling or state management in the invitation workflow inadvertently creates a window where the authorization check is not properly enforced.

Once a low-privileged attacker successfully invites an administrator account (which can be tied to an email address they control), they can leverage the password reset functionality to gain access to that admin account. This provides full administrative privileges over the entire Coolify instance, including control over all managed infrastructure.

Root Cause

The root cause lies in improper authorization enforcement within the user invitation workflow. The application fails to consistently validate user privileges when processing invitation requests. The fact that the first request is rejected but the second succeeds indicates that the authorization state is not properly maintained between requests, or there is a logic flaw that allows the second request to bypass the privilege check entirely.

This represents a classic Broken Access Control vulnerability where the authorization logic does not properly enforce role-based restrictions for sensitive administrative operations like inviting privileged users.

Attack Vector

The attack is network-based and requires only low-level authentication (member access) to the Coolify instance. The exploitation path follows these steps:

  1. The attacker authenticates as a low-privileged member user
  2. The attacker initiates an invitation for a high-privileged (admin) user role, using an email address they control
  3. The application throws an error, which the attacker ignores
  4. The attacker clicks the invite button a second time
  5. The invitation succeeds despite the lack of proper authorization
  6. The attacker initiates a password reset for the newly created admin account
  7. The attacker gains administrative access to the Coolify instance

No user interaction is required beyond the attacker's own actions. Technical details regarding this vulnerability can be found in the GitHub Security Advisory.

Detection Methods for CVE-2025-64421

Indicators of Compromise

  • Multiple invitation attempts for administrator or high-privileged roles from non-admin users
  • Invitation error responses followed immediately by successful invitation creation
  • Unusual password reset requests for newly created administrator accounts
  • Low-privileged users gaining administrator access without proper authorization workflow

Detection Strategies

  • Monitor invitation API endpoints for repeated requests from the same session with identical parameters
  • Alert on any successful admin user invitations originating from sessions with member-level privileges
  • Implement audit logging to track privilege level changes and invitation workflows
  • Review access logs for patterns showing error responses followed by successful requests to the same endpoint

Monitoring Recommendations

  • Enable comprehensive audit logging for all user invitation and privilege modification operations
  • Set up alerts for administrator account creation events that bypass normal approval workflows
  • Monitor for password reset requests targeting recently created administrator accounts
  • Implement rate limiting on invitation endpoints to slow exploitation attempts

How to Mitigate CVE-2025-64421

Immediate Actions Required

  • Restrict access to Coolify instances to trusted users only until a patch is available
  • Review existing user accounts for any unauthorized administrator privileges
  • Implement network-level access controls to limit who can reach the Coolify management interface
  • Enable multi-factor authentication for all administrator accounts
  • Monitor audit logs for signs of exploitation attempts

Patch Information

As of the time of publication, it is unclear if a patch is available. Organizations should monitor the Coolify GitHub repository for security updates and apply patches immediately when released. Upgrading to a version beyond v4.0.0-beta.434 may address this issue once a fix is made available.

Workarounds

  • Limit member-level access to only absolutely trusted users until a patch is applied
  • Implement a reverse proxy with additional authentication layers in front of the Coolify interface
  • Disable or restrict the user invitation functionality if possible through configuration
  • Place Coolify instances behind a VPN to limit network exposure
  • Regularly audit user privilege levels to detect unauthorized escalation
bash
# Example: Restrict network access to Coolify using iptables
# Allow access only from trusted management network
iptables -A INPUT -p tcp --dport 8000 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.