PatchSiren cyber security CVE debrief
CVE-2026-34171 coollabsio CVE debrief
CVE-2026-34171 is a high-severity vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The vulnerability exists in the GET /invitations/{uuid} endpoint, which can perform a state-changing password reset using an attacker-known invitation UUID. This allows an attacker who can cause a victim to visit the crafted invitation URL to reset the victim account password to a predictable value. The issue is fixed in version 4.0.0-beta.471. Users of Coolify should review their current version and update to 4.0.0-beta.471 or later to prevent potential password reset attacks. This vulnerability has a high CVSS score of 8 and is considered a high-priority issue. The NVD entry for this vulnerability is currently Deferred.
- Vendor
- coollabsio
- Product
- coolify
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of Coolify versions prior to 4.0.0-beta.471 should update to the latest version to prevent potential password reset attacks. This includes administrators, developers, and security teams responsible for managing and securing Coolify deployments. Additionally, security teams should review and update any existing invitations to ensure they are not vulnerable.
Technical summary
CVE-2026-34171 is a high-severity vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The vulnerability exists in the GET /invitations/{uuid} endpoint, which can perform a state-changing password reset using an attacker-known invitation UUID. This allows an attacker who can cause a victim to visit the crafted invitation URL to reset the victim account password to a predictable value. The issue is fixed in version 4.0.0-beta.471.
Defensive priority
High priority should be given to updating Coolify to version 4.0.0-beta.471 or later to prevent potential password reset attacks.
Recommended defensive actions
- Update Coolify to version 4.0.0-beta.471 or later
- Review and update any existing invitations to ensure they are not vulnerable
- Monitor for any suspicious activity related to password resets
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The vulnerability is confirmed to exist in Coolify versions prior to 4.0.0-beta.471. The fix is included in version 4.0.0-beta.471. Users should update to the latest version to prevent potential password reset attacks. The CVE record was published on 2026-07-07T04:17:50.513Z and has not been modified since then. The NVD entry is currently Deferred.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T04:17:50.513Z and has not been modified since then. The NVD entry is currently Deferred.