CVE-2025-64423
Published: 05 January 2026
Summary
CVE-2025-64423 is a high-severity Improper Authentication (CWE-287) vulnerability in Coollabs Coolify. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Manages invitation links as authenticators by verifying recipient identity and protecting against unauthorized access or use by low-privileged members, directly preventing privilege escalation.
Enforces least privilege to restrict low-privileged members from accessing or assuming administrator roles via invitation links.
Enforces access control policies to block low-privileged users from viewing or utilizing administrator invitation links.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation via exploitation of invitation link authorization flaw allowing low-priv users to obtain admin accounts.
NVD Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the…
more
link before the legitimate recipient does, they are able to log in as an administrator, meaning they have successfully escalated their privileges. As of time of publication, it is unclear if a patch is available.
Deeper analysisAI
CVE-2025-64423 is a privilege escalation vulnerability in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. Affecting versions up to and including v4.0.0-beta.434, the issue stems from low-privileged users (members) being able to view and utilize invitation links intended for administrators. By accessing the link before the legitimate recipient, an attacker can log in with administrator privileges. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-287 (Improper Authentication).
A low-privileged member account with network access to the Coolify instance can exploit this vulnerability. The attacker monitors or accesses invitation links sent to administrators, then uses one prior to the intended recipient, resulting in successful privilege escalation to full administrator access. This grants high-impact confidentiality, integrity, and availability compromise, potentially allowing control over servers, applications, and databases managed by Coolify.
The GitHub security advisory (GHSA-4fqm-797g-7m6j) notes that, as of publication on 2026-01-05, it is unclear if a patch is available for this issue. Security practitioners should monitor the Coolify repository for updates and consider restricting member access to invitation links or implementing stricter role-based controls until mitigation is confirmed.
Details
- CWE(s)