Primary

Context

Coolify OAuth Configuration Exposure Vulnerability

Vulnerability

A vulnerability in Coolify versions prior to 4.0.0-beta.361 allows any authenticated user to access and modify the global OAuth configuration. This flaw arises from a lack of proper authorization, which enables the exposure of sensitive information such as the 'client id' and 'client secret' for all custom OAuth providers used in the Coolify instance.

Impact

Exploitation of this vulnerability leads to unauthorized access to OAuth credentials, which could be misused to impersonate the application or its users with the affected OAuth providers.

Reproduction

To reproduce this vulnerability, authenticate as a user with access to the Coolify instance. Then, navigate to the OAuth settings page. The absence of proper authorization will allow access to the OAuth configuration, including sensitive credentials.

Remediation

Users should upgrade to Coolify version 4.0.0-beta.361 or later.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

6.6

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

6.6

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Coolify OAuth Configuration Exposure Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating