CVE-2026-42145 Overview
CVE-2026-42145 affects Coolify, an open-source and self-hostable platform for managing servers, applications, and databases. Versions prior to 4.0.0-beta.474 contain a missing input validation flaw in the database backup restore upload endpoint at app/Http/Controllers/UploadController.php. The endpoint did not enforce file type or file size validation. An authenticated user can upload unexpected or oversized files, degrading service availability. The issue is classified as Unrestricted Upload of File with Dangerous Type [CWE-434]. Coolify addressed the flaw in version 4.0.0-beta.474.
Critical Impact
Authenticated users can upload arbitrary or oversized files to the backup restore endpoint, causing potential denial-of-service conditions on the Coolify host.
Affected Products
- Coolify versions prior to 4.0.0-beta.474
- app/Http/Controllers/UploadController.php database backup upload handler
- Self-hosted Coolify deployments exposing the upload endpoint to authenticated users
Discovery Timeline
- 2026-07-07 - CVE-2026-42145 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-42145
Vulnerability Analysis
The vulnerability resides in the upload method of the UploadController class. This controller handles database backup restore uploads in Coolify. Prior to the patch, the controller accepted any file submitted by an authenticated user without validating extension, MIME type, or size. An attacker with valid team credentials can submit arbitrarily large files or files with unexpected formats. The result is disk exhaustion, filesystem saturation, or resource pressure on the Coolify host. Because the endpoint requires authentication and targets availability only, the impact is limited to service disruption rather than confidentiality or integrity loss.
Root Cause
The root cause is missing input validation on file uploads [CWE-434]. The upload handler performed a resource ownership check but did not enforce an allow-list of extensions or a maximum byte size. Any authenticated team member could bypass reasonable upload expectations.
Attack Vector
The attack is network-based and requires low privileges but high attack complexity. An authenticated user sends a crafted multipart upload request to the database backup restore endpoint. The request contains either an oversized payload or a file with an unexpected extension. The server writes the file to disk without rejecting it, consuming storage and potentially disrupting other Coolify workloads on the same host.
// Patch: app/Http/Controllers/UploadController.php
class UploadController extends BaseController
{
private const MAX_BYTES = 10 * 1024 * 1024 * 1024; // 10 GiB
private const ALLOWED_EXTENSIONS = [
'sql',
'sql.gz',
'gz',
'zip',
'tar',
'tar.gz',
'tgz',
'dump',
'bak',
'bson',
'bson.gz',
'archive',
'archive.gz',
'bz2',
'xz',
];
public function upload(Request $request)
{
$databaseIdentifier = request()->route('databaseUuid');
$resource = getResourceByUuid($databaseIdentifier, data_get(auth()->user()->currentTeam(), 'id'));
if (is_null($resource)) {
return response()->json(['error' => 'You do not have permission for this database'], 500);
}
Source: Coolify commit e6a6446
Detection Methods for CVE-2026-42145
Indicators of Compromise
- Unusually large files written to the Coolify backup upload directory tied to a single team or user
- Uploads to the database backup restore endpoint with extensions outside the allow-list (sql, gz, zip, tar, dump, bak, etc.)
- Rapid disk consumption or no space left on device errors on the Coolify host
- Repeated POST requests to the UploadController endpoint from the same authenticated session
Detection Strategies
- Monitor HTTP access logs for large Content-Length values on requests to the database backup upload route
- Correlate authenticated user activity with sudden growth in the backup storage volume
- Alert on Laravel application logs referencing UploadController write failures or storage-related exceptions
Monitoring Recommendations
- Track disk utilization on Coolify hosts and alert when free space drops below a defined threshold
- Baseline expected backup file sizes per database and flag statistical outliers
- Enable audit logging on team membership changes to identify unexpected users with upload privileges
How to Mitigate CVE-2026-42145
Immediate Actions Required
- Upgrade Coolify to version 4.0.0-beta.474 or later, which enforces file extension allow-listing and a 10 GiB size cap
- Review team membership and revoke access for accounts that do not require database backup restore functionality
- Audit the backup storage directory for oversized or unexpected files uploaded before the patch was applied
Patch Information
The fix is available in Coolify release v4.0.0-beta.474. Technical details are documented in GitHub Security Advisory GHSA-66gv-g2w9-6wxp and Pull Request #9667. The patch introduces a MAX_BYTES constant of 10 GiB and an ALLOWED_EXTENSIONS allow-list in UploadController.
Workarounds
- Place the Coolify instance behind a reverse proxy (nginx, Traefik) with a request body size limit smaller than the available disk capacity
- Restrict network access to the Coolify management interface using a VPN or IP allow-list
- Apply filesystem quotas to the backup storage directory to contain disk exhaustion
# nginx reverse proxy body size limit example
server {
listen 443 ssl;
server_name coolify.example.com;
client_max_body_size 10G;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

