Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42145

CVE-2026-42145: Coolify File Upload DoS Vulnerability

CVE-2026-42145 is a denial of service vulnerability in Coolify that allows authenticated users to upload oversized files, affecting service availability. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-42145 Overview

CVE-2026-42145 affects Coolify, an open-source and self-hostable platform for managing servers, applications, and databases. Versions prior to 4.0.0-beta.474 contain a missing input validation flaw in the database backup restore upload endpoint at app/Http/Controllers/UploadController.php. The endpoint did not enforce file type or file size validation. An authenticated user can upload unexpected or oversized files, degrading service availability. The issue is classified as Unrestricted Upload of File with Dangerous Type [CWE-434]. Coolify addressed the flaw in version 4.0.0-beta.474.

Critical Impact

Authenticated users can upload arbitrary or oversized files to the backup restore endpoint, causing potential denial-of-service conditions on the Coolify host.

Affected Products

  • Coolify versions prior to 4.0.0-beta.474
  • app/Http/Controllers/UploadController.php database backup upload handler
  • Self-hosted Coolify deployments exposing the upload endpoint to authenticated users

Discovery Timeline

  • 2026-07-07 - CVE-2026-42145 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-42145

Vulnerability Analysis

The vulnerability resides in the upload method of the UploadController class. This controller handles database backup restore uploads in Coolify. Prior to the patch, the controller accepted any file submitted by an authenticated user without validating extension, MIME type, or size. An attacker with valid team credentials can submit arbitrarily large files or files with unexpected formats. The result is disk exhaustion, filesystem saturation, or resource pressure on the Coolify host. Because the endpoint requires authentication and targets availability only, the impact is limited to service disruption rather than confidentiality or integrity loss.

Root Cause

The root cause is missing input validation on file uploads [CWE-434]. The upload handler performed a resource ownership check but did not enforce an allow-list of extensions or a maximum byte size. Any authenticated team member could bypass reasonable upload expectations.

Attack Vector

The attack is network-based and requires low privileges but high attack complexity. An authenticated user sends a crafted multipart upload request to the database backup restore endpoint. The request contains either an oversized payload or a file with an unexpected extension. The server writes the file to disk without rejecting it, consuming storage and potentially disrupting other Coolify workloads on the same host.

php
// Patch: app/Http/Controllers/UploadController.php
class UploadController extends BaseController
{
    private const MAX_BYTES = 10 * 1024 * 1024 * 1024; // 10 GiB

    private const ALLOWED_EXTENSIONS = [
        'sql',
        'sql.gz',
        'gz',
        'zip',
        'tar',
        'tar.gz',
        'tgz',
        'dump',
        'bak',
        'bson',
        'bson.gz',
        'archive',
        'archive.gz',
        'bz2',
        'xz',
    ];

    public function upload(Request $request)
    {
        $databaseIdentifier = request()->route('databaseUuid');
        $resource = getResourceByUuid($databaseIdentifier, data_get(auth()->user()->currentTeam(), 'id'));
        if (is_null($resource)) {
            return response()->json(['error' => 'You do not have permission for this database'], 500);
        }

Source: Coolify commit e6a6446

Detection Methods for CVE-2026-42145

Indicators of Compromise

  • Unusually large files written to the Coolify backup upload directory tied to a single team or user
  • Uploads to the database backup restore endpoint with extensions outside the allow-list (sql, gz, zip, tar, dump, bak, etc.)
  • Rapid disk consumption or no space left on device errors on the Coolify host
  • Repeated POST requests to the UploadController endpoint from the same authenticated session

Detection Strategies

  • Monitor HTTP access logs for large Content-Length values on requests to the database backup upload route
  • Correlate authenticated user activity with sudden growth in the backup storage volume
  • Alert on Laravel application logs referencing UploadController write failures or storage-related exceptions

Monitoring Recommendations

  • Track disk utilization on Coolify hosts and alert when free space drops below a defined threshold
  • Baseline expected backup file sizes per database and flag statistical outliers
  • Enable audit logging on team membership changes to identify unexpected users with upload privileges

How to Mitigate CVE-2026-42145

Immediate Actions Required

  • Upgrade Coolify to version 4.0.0-beta.474 or later, which enforces file extension allow-listing and a 10 GiB size cap
  • Review team membership and revoke access for accounts that do not require database backup restore functionality
  • Audit the backup storage directory for oversized or unexpected files uploaded before the patch was applied

Patch Information

The fix is available in Coolify release v4.0.0-beta.474. Technical details are documented in GitHub Security Advisory GHSA-66gv-g2w9-6wxp and Pull Request #9667. The patch introduces a MAX_BYTES constant of 10 GiB and an ALLOWED_EXTENSIONS allow-list in UploadController.

Workarounds

  • Place the Coolify instance behind a reverse proxy (nginx, Traefik) with a request body size limit smaller than the available disk capacity
  • Restrict network access to the Coolify management interface using a VPN or IP allow-list
  • Apply filesystem quotas to the backup storage directory to contain disk exhaustion
bash
# nginx reverse proxy body size limit example
server {
    listen 443 ssl;
    server_name coolify.example.com;

    client_max_body_size 10G;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.