CVE-2025-64423 Overview
CVE-2025-64423 is a privilege escalation vulnerability in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The vulnerability allows a low-privileged user (member) to view and exploit invitation links intended for administrators. By using these links before the legitimate recipient, an attacker can authenticate as an administrator, achieving full privilege escalation within the Coolify platform.
Critical Impact
A low-privileged member can escalate to administrator privileges by hijacking administrator invitation links, potentially gaining full control over server, application, and database management functions.
Affected Products
- Coolify versions up to and including v4.0.0-beta.434
Discovery Timeline
- 2026-01-05 - CVE-2025-64423 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-64423
Vulnerability Analysis
This vulnerability stems from an improper authentication mechanism (CWE-287) in how Coolify handles invitation links for administrative accounts. The fundamental flaw lies in the application's failure to properly isolate invitation tokens and enforce authorization checks on who can access and utilize these links.
When an administrator invitation is generated, the link becomes accessible to existing low-privileged users within the system. This breaks the intended security boundary between user privilege levels. The invitation workflow does not validate that the user attempting to consume the invitation link matches the intended recipient, nor does it restrict visibility of pending invitations to appropriate privilege levels.
The exploitation scenario is straightforward: a member-level user can observe or access the administrator invitation link through the application interface, and by clicking the link before the intended administrator recipient, they inherit the administrator role. This represents a classic authentication bypass where the invitation token alone serves as the authentication credential without proper identity verification.
Root Cause
The root cause is improper authentication handling (CWE-287) in Coolify's invitation system. The application fails to implement proper authorization checks that would restrict invitation link visibility and usage to only the intended recipients. Invitation tokens are not bound to specific email addresses or user identities, allowing any authenticated user to claim administrative privileges by using an unbound invitation link.
Attack Vector
The attack is network-accessible and requires low privileges. An authenticated member must have access to the Coolify instance where they can observe administrator invitation links. The attack workflow involves:
- Attacker authenticates as a low-privileged member user
- Attacker locates or accesses an administrator invitation link through the interface
- Attacker uses the invitation link before the intended recipient
- The system grants administrator privileges to the attacker without verifying intended recipient identity
The vulnerability requires some level of timing or opportunity (accessing the link before the legitimate user), but does not require user interaction from the victim.
Detection Methods for CVE-2025-64423
Indicators of Compromise
- Unexpected privilege escalation events where member accounts suddenly gain administrator access
- Multiple accounts consuming invitation links from different IP addresses or sessions
- Administrator invitation links being accessed by users other than the intended email recipient
- Anomalous patterns in invitation link usage, particularly rapid succession of link access attempts
Detection Strategies
- Monitor authentication logs for privilege changes that bypass normal administrator approval workflows
- Implement alerting on invitation link consumption events, correlating the consuming user identity with the intended recipient
- Review access logs for member-level accounts accessing invitation management endpoints
- Track session activity for users who transition from member to administrator privileges unexpectedly
Monitoring Recommendations
- Enable detailed audit logging for all invitation creation and consumption events
- Configure alerts for privilege escalation events within the Coolify platform
- Implement user behavior analytics to detect anomalous privilege changes
- Regularly review administrator account creation and modification logs
How to Mitigate CVE-2025-64423
Immediate Actions Required
- Audit all current administrator accounts to identify any that were created through potentially compromised invitation workflows
- Revoke any pending administrator invitation links and regenerate them through secure out-of-band channels
- Restrict access to the Coolify management interface to trusted networks only
- Consider temporarily disabling the invitation system until a patch is available
Patch Information
As of the publication date, it is unclear if a patch is available for this vulnerability. Organizations should monitor the GitHub Security Advisory for updates on remediation options and patch availability.
Workarounds
- Distribute administrator invitation links exclusively through secure out-of-band channels such as encrypted email or secure messaging
- Implement network-level access controls to limit who can reach the Coolify management interface
- Manually provision administrator accounts directly in the database rather than using the invitation system
- Monitor for and immediately investigate any unexpected privilege escalation events
- Consider running Coolify in an isolated network segment with strict access controls
# Example: Restrict access to Coolify management interface via firewall
# Allow only trusted administrator IPs to access the Coolify port
iptables -A INPUT -p tcp --dport 3000 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
