Primary

Context

Coolify GitHub/GitLab OAuth Secrets Leak Vulnerability

Vulnerability

A vulnerability in Coolify prior to version 4.0.0-beta.361 allows any authenticated user to access the details page of any GitHub or GitLab configuration on a Coolify instance, simply by knowing the UUID of the model. This flaw arises from a lack of proper authorization, leading to the unintentional exposure of sensitive information, including the 'client id', 'client secret', and 'webhook secret'.

Impact

Exploitation of this vulnerability results in the unauthorized disclosure of GitHub or GitLab OAuth secrets, including the client ID, client secret, and webhook secret.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the Coolify instance's GitHub or GitLab source endpoint, including the UUID of the desired configuration. This request will return the details page, revealing the exposed OAuth secrets.

Remediation

Users should update to Coolify version 4.0.0-beta.361 or later.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Coolify GitHub/GitLab OAuth Secrets Leak Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating