CVE-2026-27882
MediumCVSS 4.8Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
Coolify prior to version 4.0.0-beta.461 uses a non-constant-time string comparison operator (!==) to validate the GitLab webhook secret token. This allows an attacker to gradually discover the secret token by measuring response time differences (timing attack).
Risk Assessment
An attacker could discover the GitLab webhook secret token, enabling them to impersonate legitimate requests and potentially take control of managed applications or data.
Recommendation
Immediately update Coolify to version 4.0.0-beta.461 or later, which includes a fix that eliminates the timing attack vulnerability.
Original NVD description (English source)
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.461, the GitLab webhook endpoint uses a non-constant-time string comparison operator (!==) to validate the webhook secret token. This implementation is vulnerable to timing attacks, which could allow an attacker to gradually discover the secret token by measuring response time differences. This vulnerability is fixed in 4.0.0-beta.461.

