CVE-2026-41896
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
In Coolify prior to 4.0.0-beta.474, the HMAC key for GitHub webhooks can be null, causing an empty string to be used as the key. An attacker can compute a valid signature and trigger unauthorized deployments.
Risk Assessment
The risk is remote unauthenticated triggering of deployment processes, potentially leading to unauthorized changes in applications and infrastructure.
Recommendation
Immediately upgrade Coolify to version 4.0.0-beta.474 or later and ensure every application has a non-empty webhook secret set.
Original NVD description (English source)
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the HMAC key is the application's manual_webhook_secret_github field, which is used by Coolify's webhook endpoints to validate incoming requests, is nullable with no default — meaning newly created applications have a null webhook secret. PHP's hash_hmac() function silently coerces a null key to an empty string ''. So when the secret is null, the server computes hash_hmac('sha256', $payload, '') — a deterministic value that any attacker can calculate independently. By sending X-Hub-Signature-256: sha256=<hash_hmac('sha256', payload, '')>, an unauthenticated attacker can forge a valid signature and trigger deployments. This vulnerability is fixed in 4.0.0-beta.474.

