Coolify, an open‑source self‑hosted platform for managing infrastructure, uses a normal string comparison (!==) when validating the webhook secret token sent from GitLab. This non‑constant‑time comparison enables a timing attack that allows an attacker to deduce the token one character at a time by measuring response times. The consequence is that an adversary could recover the entire secret token, enabling them to forge valid GitLab webhook requests and potentially trigger unauthorized deployments or other privileged actions within the Coolify environment.

Vulnerable versions of Coolify are those released before 4.0.0‑beta.461. The issue is identified in the Coolify project under the vendor coollabsio:coolify. If the system is running an earlier release, the GitLab webhook endpoint is exposed to the timing attack. Running the unmodified code before the patch version is therefore affected.

The CVSS score of 4.8 indicates a medium impact, and no EPSS data is available, which suggests the probability of public exploitation is uncertain. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to repeatedly query the GitLab webhook URL and accurately measure the response time for each request. While the attack is theoretically straightforward, it may require a controlled measurement environment and repeated access, meaning that the risk is moderate but not trivial. Clients should treat this as a potential exposure of the webhook secret token, especially if the token is used to trigger sensitive operations.