CVE-2025-64421
Published: 05 January 2026
Summary
CVE-2025-64421 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Coollabs Coolify. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations, directly preventing low-privileged users from inviting or assigning higher privileges like administrator in Coolify.
AC-6 applies least privilege to restrict privilege escalation actions, such as member users inviting administrators, to only authorized high-privilege roles.
AC-2 manages account creation and privilege assignment processes to ensure only authorized personnel can grant elevated roles, blocking self-invites to admin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation via authorization bypass allowing low-priv user to self-promote to admin.
NVD Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can invite a high privileged user. At first, the application will throw an error,…
more
but if the attacker clicks the invite button a second time, it actually works. This way, a low privileged user can invite themselves as an administrator to the Coolify instance. After the high privileged user is invited, the attacker can initiate a password reset and log in with the new admin. As of time of publication, it is unclear if a patch is available.
Deeper analysisAI
CVE-2025-64421 is a privilege escalation vulnerability in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. It affects versions up to and including v4.0.0-beta.434. The issue, classified under CWE-863 (Incorrect Authorization), allows a low-privileged user designated as a member to invite a high-privileged user, such as an administrator. Although the application initially displays an error upon clicking the invite button, a second click succeeds in sending the invitation.
The attack requires network access (AV:N), low privileges (PR:L), and user interaction (UI:R), with a CVSS 3.1 base score of 8.0 (High). A member can exploit this by inviting themselves as an administrator; once invited, they can initiate a password reset for the new admin account and log in with elevated privileges. This grants full administrative control over the Coolify instance, enabling high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
Advisories are available via the GitHub Security Advisory at https://github.com/coollabsio/coolify/security/advisories/GHSA-4p6r-m39m-9cm9 and a detailed report at https://drive.google.com/file/d/1YZHFgiZv_k9p9909A63DAErsTsh8K1rc/view?usp=drive_link. As of the CVE publication on 2026-01-05T20:16:02.860, it is unclear if a patch is available.
Details
- CWE(s)