CVE-2026-27882: CWE-208: Observable Timing Discrepancy in coollabsio coolify
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.461, the GitLab webhook endpoint uses a non-constant-time string comparison operator (!==) to validate the webhook secret token. This implementation is vulnerable to timing attacks, which could allow an attacker to gradually discover the secret token by measuring response time differences. This vulnerability is fixed in 4.0.0-beta.461.
AI Analysis
Technical Summary
Coolify, an open-source server and application management tool, used a non-constant-time string comparison operator (!==) to validate GitLab webhook secret tokens before version 4.0.0-beta.461. This implementation is vulnerable to timing attacks (CWE-208), enabling attackers to gradually discover the secret token by analyzing response time discrepancies. The vulnerability is addressed in version 4.0.0-beta.461.
Potential Impact
An attacker could exploit the timing discrepancy to gradually recover the secret token used for GitLab webhook validation, potentially allowing unauthorized webhook requests. The CVSS 3.1 base score is 4.8 (medium severity), indicating limited impact on confidentiality and integrity, with no impact on availability.
Mitigation Recommendations
Upgrade to coolify version 4.0.0-beta.461 or later, where the timing attack vulnerability has been fixed by using a constant-time string comparison for webhook secret validation. No other mitigations are specified.
CVE-2026-27882: CWE-208: Observable Timing Discrepancy in coollabsio coolify
Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.461, the GitLab webhook endpoint uses a non-constant-time string comparison operator (!==) to validate the webhook secret token. This implementation is vulnerable to timing attacks, which could allow an attacker to gradually discover the secret token by measuring response time differences. This vulnerability is fixed in 4.0.0-beta.461.
CVSS v3.1
Score 4.8medium
Affected software
pkg:github/coollabsio/coolifyRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Coolify, an open-source server and application management tool, used a non-constant-time string comparison operator (!==) to validate GitLab webhook secret tokens before version 4.0.0-beta.461. This implementation is vulnerable to timing attacks (CWE-208), enabling attackers to gradually discover the secret token by analyzing response time discrepancies. The vulnerability is addressed in version 4.0.0-beta.461.
Potential Impact
An attacker could exploit the timing discrepancy to gradually recover the secret token used for GitLab webhook validation, potentially allowing unauthorized webhook requests. The CVSS 3.1 base score is 4.8 (medium severity), indicating limited impact on confidentiality and integrity, with no impact on availability.
Mitigation Recommendations
Upgrade to coolify version 4.0.0-beta.461 or later, where the timing attack vulnerability has been fixed by using a constant-time string comparison for webhook secret validation. No other mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-24T15:19:29.715Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a43db7c27e9c79719f8cbbc
Added to database: 06/30/2026, 15:06:36 UTC
Last enriched: 06/30/2026, 15:22:31 UTC
Last updated: 06/30/2026, 21:01:52 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.