PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42145 coollabsio CVE debrief

CVE-2026-42145 is a vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The file upload endpoint for database backup restore did not enforce file type or size validation, allowing authenticated users to upload unexpected or oversized files. This could affect service availability. The issue is fixed in version 4.0.0-beta.474.

Vendor
coollabsio
Product
coolify
CVSS
LOW 3.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Coolify, especially those who manage servers, applications, and databases, should be aware of this vulnerability. Authenticated users with access to the file upload endpoint are at risk. Administrators should verify their Coolify version and update to 4.0.0-beta.474 or later if necessary.

Technical summary

The vulnerability exists in the file upload endpoint (app/Http/Controllers/UploadController.php) of Coolify, specifically for database backup restore uploads. Prior to version 4.0.0-beta.474, no file type or size validation was enforced, allowing authenticated users to upload arbitrary or oversized files. This could lead to service availability issues. The CVSS score is 3.1, with a LOW severity. The vulnerability is classified under CWE-434 and CWE-770.

Defensive priority

Medium priority should be given to updating Coolify to version 4.0.0-beta.474 or later. Administrators should verify their current version and assess the risk of authenticated users uploading malicious files.

Recommended defensive actions

  • Update Coolify to version 4.0.0-beta.474 or later
  • Verify current Coolify version
  • Assess risk of authenticated users uploading malicious files
  • Monitor for suspicious file uploads
  • Implement additional file validation if updating is not feasible

Evidence notes

The CVE record was published on 2026-07-07T04:17:51.353Z and last modified on 2026-07-07T13:22:13.557Z. The NVD entry is currently Deferred. The vulnerability details are based on information from the CVE.org record and the NVD detail page.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T04:17:51.353Z and has not been modified since then. The NVD entry is currently Deferred.