CVE-2026-41896 - Vulnerability Details

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the HMAC key is the application's manual_webhook_secret_github field, which is used by Coolify's webhook endpoints to validate incoming requests, is nullable with no default — meaning newly created applications have a null webhook secret. PHP's hash_hmac() function silently coerces a null key to an empty string ''. So when the secret is null, the server computes hash_hmac('sha256', $payload, '') — a deterministic value that any attacker can calculate independently. By sending X-Hub-Signature-256: sha256=<hash_hmac('sha256', payload, '')>, an unauthenticated attacker can forge a valid signature and trigger deployments. This vulnerability is fixed in 4.0.0-beta.474.

Published: 2026-06-29

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an unauthenticated attacker to forge a valid HMAC signature by exploiting the use of a null webhook secret in Coolify. Because PHP’s hash_hmac function treats a null key as an empty string, any attacker can calculate the expected hash and provide it in the X‑Hub‑Signature‑256 header. This bypass of authentication (CWE‑287) enables the attacker to trigger deployment endpoints, potentially executing arbitrary code, altering data, or exposing sensitive resources.

Affected Systems

Coolify (coollabsio:coolify) is affected. Versions prior to 4.0.0-beta.474 are vulnerable. The flaw exists where the manual_webhook_secret_github field is null for newly created applications.

Risk and Exploitability

The CVSS score of 7.5 classifies the issue as high severity, with no EPSS value available and no listing in CISA’s KEV catalog. Attackers do not need credentials; they can send HTTP requests to the deployment webhook from any external network, provided the target is reachable. The exploitation requires a null webhook secret, a condition that many installations may have by default. Given the straightforward attack vector and the high impact of unauthorized deployments, this represents a significant risk to affected environments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

coollabsio

coolify

affected

Version	Status	Constraints
`< 4.0.0-beta.474`	affected	—

No data.

Vendor Product Confidence Versions

Coollabsio

Coolify

100%

Version	Status	Scheme	Platform
`[0,4.0.0-beta.474)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Coolify to version 4.0.0-beta.474 or later, which removes the null‑secret flaw.
For installations that cannot be upgraded immediately, configure a non‑null manual_webhook_secret_github for every application to ensure a valid HMAC key is present.
Limit access to webhook endpoints, for example by IP whitelisting or network segmentation, to reduce the attack surface.

Generated by OpenCVE AI on June 29, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/coollabsio/coolify/security/advisories/GHSA-w8wm-r924-f65v

History

Tue, 30 Jun 2026 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Coollabsio Coollabsio coolify
Vendors & Products		Coollabsio Coollabsio coolify

Mon, 29 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the HMAC key is the application's manual_webhook_secret_github field, which is used by Coolify's webhook endpoints to validate incoming requests, is nullable with no default — meaning newly created applications have a null webhook secret. PHP's hash_hmac() function silently coerces a null key to an empty string ''. So when the secret is null, the server computes hash_hmac('sha256', $payload, '') — a deterministic value that any attacker can calculate independently. By sending X-Hub-Signature-256: sha256=<hash_hmac('sha256', payload, '')>, an unauthenticated attacker can forge a valid signature and trigger deployments. This vulnerability is fixed in 4.0.0-beta.474.
Title		Coolify: Unauthenticated Deployment Trigger via Webhook HMAC Bypass with Null Secret
Weaknesses		CWE-287
References		https://github.com/coollabsio/coolify/security/advisories/GHSA-w8wm-r924-f65v
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Coollabsio Coolify

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-29T20:16:50.951Z

Updated: 2026-06-29T20:16:50.951Z

Reserved: 2026-04-22T15:11:54.671Z

Link: CVE-2026-41896

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-30T02:30:05Z

Weaknesses

CWE-287
Improper Authentication

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object