CVE-2026-41896

HIGH 7.5

Coolify: Unauthenticated Deployment Trigger via Webhook HMAC Bypass with Null Secret

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the HMAC key is the application's manual_webhook_secret_github field, which is used by Coolify's webhook endpoints to validate incoming requests, is nullable with no default — meaning newly created applications have a null webhook secret. PHP's hash_hmac() function silently coerces a null key to an empty string ''. So when the secret is null, the server computes hash_hmac('sha256', $payload, '') — a deterministic value that any attacker can calculate independently. By sending X-Hub-Signature-256: sha256=<hash_hmac('sha256', payload, '')>, an unauthenticated attacker can forge a valid signature and trigger deployments. This vulnerability is fixed in 4.0.0-beta.474.

CWE	CWE-287
Vendor	coollabsio
Product	coolify
Published	Jun 29, 2026

Stay Ahead of the Next One

Get instant alerts for coollabsio coolify

Be the first to know when new high vulnerabilities affecting coollabsio coolify are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

coollabsio / coolify

< 4.0.0-beta.474

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/coollabsio/coolify/security/advisories/GHSA-w8wm-r924-f65v