CVE-2026-27882 Overview
Coolify is an open-source, self-hostable platform for managing servers, applications, and databases. Versions prior to 4.0.0-beta.461 validate GitLab webhook secret tokens using the non-constant-time !== string comparison operator. This implementation exposes the secret validation logic to timing side-channel analysis. An unauthenticated attacker can measure response time differences to progressively recover the webhook secret token. The vulnerability is classified under CWE-208: Observable Timing Discrepancy and is fixed in Coolify 4.0.0-beta.461.
Critical Impact
An unauthenticated remote attacker can recover the GitLab webhook secret through timing analysis, enabling forged webhook requests to trigger unauthorized deployments or repository automation actions in Coolify.
Affected Products
- Coolify versions prior to 4.0.0-beta.461
- GitLab webhook integration endpoint
- Self-hosted Coolify deployments exposing webhook endpoints to the network
Discovery Timeline
- 2026-06-30 - CVE-2026-27882 published to NVD
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-27882
Vulnerability Analysis
The vulnerability resides in the GitLab webhook handler of Coolify. When an inbound webhook request arrives, the handler compares the supplied X-Gitlab-Token header against the stored secret using the JavaScript strict inequality operator !==. This operator short-circuits on the first byte mismatch, causing the comparison to complete faster for tokens that share a longer common prefix with the stored secret.
An attacker with network reachability to the webhook endpoint can issue repeated requests with candidate tokens and measure server response times. By iteratively fixing bytes that produce measurably longer processing times, the attacker reconstructs the full secret one byte at a time. Successful recovery of the token allows the attacker to submit forged GitLab webhook payloads that Coolify treats as authentic.
Root Cause
The root cause is the use of a non-constant-time comparison for a security-sensitive secret. Secret validation must use a constant-time comparison routine such as Node.js crypto.timingSafeEqual to ensure execution time is independent of input contents. Coolify's prior implementation leaked byte-level timing information proportional to the correctness of the supplied token.
Attack Vector
Exploitation requires network access to the Coolify GitLab webhook endpoint but no authentication or user interaction. The attacker sends many crafted requests, records latency statistics, and applies statistical analysis to isolate the timing signal from network jitter. High attack complexity reflects the need for repeated sampling and low-noise conditions. Successful exploitation yields the webhook secret, which the attacker then uses to trigger unauthorized deployment or repository events. See the GitHub Security Advisory GHSA-x525-46rq-mr8c for additional technical context.
// Vulnerability described in prose only - no verified exploit code available.
// The vulnerable pattern conceptually resembles:
// if (providedToken !== storedSecret) { reject(); }
// which returns faster on early-byte mismatches, leaking timing information.
Detection Methods for CVE-2026-27882
Indicators of Compromise
- High-volume inbound requests to the GitLab webhook endpoint from a single source IP or narrow IP range
- Repeated webhook requests carrying varying X-Gitlab-Token header values against the same project
- Bursts of failed webhook authentication events with sub-second inter-arrival times
- Successful webhook deliveries followed by unexpected deployment or build activity not tied to legitimate GitLab commits
Detection Strategies
- Enable request logging on the Coolify reverse proxy and alert on abnormal request rates against /webhooks/source/gitlab or equivalent paths
- Correlate webhook authentication failures with subsequent successful deliveries from the same source
- Baseline normal GitLab webhook traffic patterns and flag deviations in request volume, header entropy, or response-time probing behavior
Monitoring Recommendations
- Forward Coolify application logs and reverse-proxy access logs to a centralized logging or SIEM platform for correlation
- Monitor Coolify audit events for deployments triggered outside expected CI/CD windows or without matching GitLab commit records
- Track outbound network activity from Coolify hosts for anomalous connections following webhook-triggered actions
How to Mitigate CVE-2026-27882
Immediate Actions Required
- Upgrade Coolify to version 4.0.0-beta.461 or later, which replaces the vulnerable comparison with a constant-time check
- Rotate all GitLab webhook secret tokens configured in Coolify after upgrading
- Restrict network exposure of the Coolify webhook endpoint to GitLab source IP ranges where feasible
- Review recent deployment and build history for actions that do not correspond to legitimate GitLab commits
Patch Information
The maintainers fixed the issue in Coolify 4.0.0-beta.461 by replacing the non-constant-time !== comparison with a timing-safe comparison routine. Details are documented in the Coolify GitHub Security Advisory.
Workarounds
- Place the Coolify webhook endpoint behind a reverse proxy that enforces IP allowlisting for GitLab webhook sources
- Apply strict rate limiting on the webhook path to raise the cost of timing measurement and reduce sampling accuracy
- Temporarily disable GitLab webhook integrations for high-value projects until the upgrade is applied
# Example NGINX rate limit and IP allowlist for the Coolify GitLab webhook path
# Adjust the allowlist to match GitLab.com or self-managed GitLab egress IPs
limit_req_zone $binary_remote_addr zone=gitlab_wh:10m rate=5r/s;
location /webhooks/source/gitlab {
allow 35.231.145.151/32;
allow 34.74.90.64/28;
deny all;
limit_req zone=gitlab_wh burst=10 nodelay;
proxy_pass http://coolify_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

