Auth bypass in Coollabsio Coolify

CVE-2025-64423

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an adminis…

Vulnerability class: Broken Authentication

EPSS: 0.001 (19.3th percentile) — read the EPSS interpretation.

Affected products

Coollabsio Coolify — versions <= 4.0.0-beta.434

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

https://github.com/coollabsio/coolify/security/advisories/GHSA-4fqm-797g-7m6j (x_refsource_CONFIRM)