CVE-2025-64423 is an improper authentication vulnerability classified under CWE-287 affecting Coolify, an open-source, self-hostable platform used for managing servers, applications, and databases. In versions up to and including 4.0.0-beta.434, a low privileged user assigned the 'member' role can access invitation links intended for administrators. These invitation links are used to onboard new administrators by granting them elevated privileges. Due to insufficient access control and validation on the invitation mechanism, a member can intercept or use an administrator's invitation link before the legitimate recipient does. By doing so, the attacker effectively escalates their privileges to administrator level without needing the administrator's credentials or additional authentication factors. This flaw does not require user interaction beyond the attacker using the invitation link and can be exploited remotely over the network. The vulnerability impacts confidentiality by exposing administrative access, integrity by allowing unauthorized changes, and availability by potentially disrupting administrative control. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N), with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). As of the publication date, no patch or fix has been confirmed, and no known exploits have been reported in the wild. The vulnerability arises from improper authentication and authorization checks on invitation link usage, a critical flaw in the access control design of Coolify's user management system.

For European organizations using Coolify, this vulnerability poses a significant risk. Unauthorized privilege escalation to administrator level can lead to full control over managed servers, applications, and databases, potentially exposing sensitive data and critical infrastructure. Attackers could manipulate configurations, deploy malicious code, or disrupt services, impacting business continuity and compliance with data protection regulations such as GDPR. The ability to exploit this remotely without user interaction increases the threat surface, especially in environments with multiple users and frequent administrative invitations. Organizations relying on Coolify for DevOps automation or infrastructure management may face operational disruptions and reputational damage if exploited. The lack of a confirmed patch increases exposure time, necessitating immediate mitigation efforts. Given the growing adoption of open-source management tools in Europe, the impact can be widespread, particularly in sectors like finance, healthcare, and technology where secure infrastructure management is paramount.

Until an official patch is released, European organizations should implement strict controls around invitation link generation and distribution. This includes limiting invitation link creation to trusted personnel, using secure communication channels to share links, and monitoring invitation link usage logs for suspicious activity. Implement network segmentation and access controls to restrict member role capabilities and isolate critical management interfaces. Consider temporarily disabling invitation-based onboarding or replacing it with manual administrator account provisioning. Employ multi-factor authentication (MFA) for all administrator accounts to reduce risk if privilege escalation occurs. Regularly audit user roles and privileges to detect anomalies. Stay informed on updates from Coollabsio and apply patches immediately once available. Additionally, conduct penetration testing focused on invitation workflows to identify and remediate related weaknesses. Deploy intrusion detection systems to alert on unusual administrative access patterns. These targeted measures go beyond generic advice by focusing on the specific attack vector and operational context of Coolify deployments.