PatchSiren cyber security CVE debrief
CVE-2026-41899 coollabsio CVE debrief
The Coolify API feedback endpoint was vulnerable to unauthenticated, unlimited, and unvalidated input, allowing attackers to forward arbitrary content to a Discord webhook. This issue was fixed in version 4.0.0-beta.474. The vulnerability could lead to spam, content injection, and webhook abuse. Users of affected versions should update to prevent potential abuse.
- Vendor
- coollabsio
- Product
- coolify
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Users of Coolify versions prior to 4.0.0-beta.474 should update to the latest version to prevent potential abuse of their API feedback endpoint. This includes operators, administrators, and security teams managing Coolify deployments.
Technical summary
The Coolify API feedback endpoint, specifically POST /api/feedback, lacked authentication, rate limiting, and input validation. This vulnerability, present in versions before 4.0.0-beta.474, allowed attackers to forward arbitrary content directly to a Discord webhook, potentially leading to spam, content injection, and webhook abuse. The issue was addressed by implementing necessary security measures in version 4.0.0-beta.474, including authentication and input validation.
Defensive priority
Medium priority due to the potential for abuse and the availability of a fix.
Recommended defensive actions
- Update Coolify to version 4.0.0-beta.474 or later
- Review and monitor API feedback endpoint usage
- Implement additional security measures such as rate limiting and input validation for similar endpoints
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record and NVD detail provide information on the vulnerability and its fix. Additional details can be found in the source references provided. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected systems and review vendor guidance for specific deployment risks.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T22:16:49.130Z and has not been modified since then. The NVD entry is currently Deferred.