CVE-2026-42172
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tok
CVSS
3.1
Bajo
EPSS
0.2%
p9
KEV
—
Exploit Today
3
0-100
Publicado: 7 jul 2026 · Última mod.: 7 jul 2026 · CWE-613
0.2%EPSS · 30 días0.2%
2026-07-072026-07-17
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain access indefinitely until manually revoked. This issue is fixed in version 4.0.0-beta.474.
- github.comhttps://github.com/coollabsio/coolify/commit/b1a78df58efe3ac38679d18c888b5817c7f01216
- github.comhttps://github.com/coollabsio/coolify/pull/9677
- github.comhttps://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474
- github.comhttps://github.com/coollabsio/coolify/security/advisories/GHSA-c83f-5ph7-x8xv
- github.comhttps://github.com/coollabsio/coolify/security/advisories/GHSA-c83f-5ph7-x8xv
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2022-255906.5 MED66.7%
——20SurveyKing v0.2.0 was discovered to retain users' session cookies after logout, allowing attackers to login to the system and access data using the browser cache when the user exits the application.9dCVE-2022-361799.8 CRÍ56.7%
——17Fusiondirectory 1.3 suffers from Improper Session Handling.9dCVE-2022-415425.4 MED45.4%
——14devhub 0.102.0 was discovered to contain a broken session control.9dCVE-2026-443837.5 ALT43.1%
——13Multiple connections to the backend using the same charging station ID
are allowed, which could allow an attacker to deploy multiple instances
of malicious OCPP clients to overwhelm the backend.4dCVE-2022-346245.9 MED40.3%
——12Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request.9dCVE-2026-492298.3 ALT35.7%
——11Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row that has not expired without checking whether the associated user is still enabled, allowing a disabled user to continue calling authenticated server endpoints. This issue is fixed in version 26.6.0.9d