PatchSiren cyber security CVE debrief
CVE-2026-42172 coollabsio CVE debrief
Coolify, an open-source tool for managing servers, applications, and databases, had an issue with Sanctum API tokens not expiring. This allowed leaked tokens to retain access indefinitely until manually revoked. The issue was fixed in version 4.0.0-beta.474. Affected users should verify their installations and update to the latest version to ensure token expiration. The vulnerability has a low CVSS score of 3.1 and is considered a low priority for users of Coolify versions prior to 4.0.0-beta.474.
- Vendor
- coollabsio
- Product
- coolify
- CVSS
- LOW 3.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of Coolify versions prior to 4.0.0-beta.474 should verify their installations and update to the latest version to ensure token expiration. This includes operators, platform administrators, vulnerability management teams, and security teams who manage Coolify deployments.
Technical summary
Coolify, an open-source tool for managing servers, applications, and databases, had an issue with Sanctum API tokens not expiring. This allowed leaked tokens to retain access indefinitely until manually revoked. The issue was fixed in version 4.0.0-beta.474. Users of Coolify versions prior to 4.0.0-beta.474 should verify their installations and update to the latest version to ensure token expiration. The vulnerability has a low CVSS score of 3.1 and is considered a low priority.
Defensive priority
Medium priority for users of Coolify versions prior to 4.0.0-beta.474
Recommended defensive actions
- Update to Coolify version 4.0.0-beta.474 or later
- Verify and revoke any existing Sanctum API tokens
- Monitor for suspicious activity related to API tokens
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record and NVD entry provide limited information about the vulnerability. Further investigation is needed to determine the full scope of the issue. Evidence is limited, and defenders should verify Coolify installations, review Sanctum API token usage, and monitor for suspicious activity. The vulnerability affects Coolify versions prior to 4.0.0-beta.474, and users should update to the latest version to ensure token expiration.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T04:17:52.133Z and has not been modified since then.