PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41899 coollabsio CVE debrief

The Coolify API feedback endpoint was vulnerable to unauthenticated, unlimited, and unvalidated input, allowing attackers to forward arbitrary content to a Discord webhook. This issue was fixed in version 4.0.0-beta.474. The vulnerability could lead to spam, content injection, and webhook abuse. Users of affected versions should update to prevent potential abuse.

Vendor
coollabsio
Product
coolify
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Users of Coolify versions prior to 4.0.0-beta.474 should update to the latest version to prevent potential abuse of their API feedback endpoint. This includes operators, administrators, and security teams managing Coolify deployments.

Technical summary

The Coolify API feedback endpoint, specifically POST /api/feedback, lacked authentication, rate limiting, and input validation. This vulnerability, present in versions before 4.0.0-beta.474, allowed attackers to forward arbitrary content directly to a Discord webhook, potentially leading to spam, content injection, and webhook abuse. The issue was addressed by implementing necessary security measures in version 4.0.0-beta.474, including authentication and input validation.

Defensive priority

Medium priority due to the potential for abuse and the availability of a fix.

Recommended defensive actions

  • Update Coolify to version 4.0.0-beta.474 or later
  • Review and monitor API feedback endpoint usage
  • Implement additional security measures such as rate limiting and input validation for similar endpoints
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record and NVD detail provide information on the vulnerability and its fix. Additional details can be found in the source references provided. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected systems and review vendor guidance for specific deployment risks.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T22:16:49.130Z and has not been modified since then. The NVD entry is currently Deferred.