CVE-2025-64423 HIGH

CVE-2025-64423: Coolify has a Privilege Escalation - low privileged users can see and use admin invitation links

Vendor Coollabsio
Product coolify
Weakness CWE-287 · Improper authentication
Published January 5, 2026
Last update January 5, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipient does, they are able to log in as an administrator, meaning they have successfully escalated their privileges. As of time of publication, it is unclear if a patch is available.

Key dates

02Disclosure timeline

January 5, 2026 CVE published
January 5, 2026 Record updated