CVE-2026-42172: CWE-613: Insufficient Session Expiration in coollabsio coolify
Coolify versions prior to 4.0.0-beta.474 used Sanctum API tokens that did not expire, which could allow a leaked token to maintain indefinite access until manually revoked. This issue is addressed in version 4.0.0-beta.474. The vulnerability has a low severity rating with a CVSS score of 3.1.
AI Analysis
Technical Summary
CVE-2026-42172 describes an insufficient session expiration vulnerability (CWE-613) in coollabsio's Coolify product. Before version 4.0.0-beta.474, Sanctum API tokens issued by Coolify did not have an expiration mechanism, meaning that if a token was leaked, it could be used indefinitely without automatic invalidation. This issue was fixed in version 4.0.0-beta.474 by introducing token expiration.
Potential Impact
The impact is limited to the confidentiality of the system since leaked API tokens could allow unauthorized access to the Coolify management interface or APIs until the token is manually revoked. There is no impact on integrity or availability. The CVSS score of 3.1 reflects a low severity due to the requirement for a leaked token and the lack of privilege escalation or denial of service.
Mitigation Recommendations
Upgrade to Coolify version 4.0.0-beta.474 or later, where Sanctum API tokens have expiration implemented. Until upgrading, manually revoke any leaked or suspicious API tokens to prevent indefinite access. No other vendor advisory or patch information is provided, so check official Coolify sources for updates.
CVE-2026-42172: CWE-613: Insufficient Session Expiration in coollabsio coolify
Description
Coolify versions prior to 4.0.0-beta.474 used Sanctum API tokens that did not expire, which could allow a leaked token to maintain indefinite access until manually revoked. This issue is addressed in version 4.0.0-beta.474. The vulnerability has a low severity rating with a CVSS score of 3.1.
CVSS v3.1
Score 3.1low
Affected software
pkg:github/coollabsio/coolifyRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42172 describes an insufficient session expiration vulnerability (CWE-613) in coollabsio's Coolify product. Before version 4.0.0-beta.474, Sanctum API tokens issued by Coolify did not have an expiration mechanism, meaning that if a token was leaked, it could be used indefinitely without automatic invalidation. This issue was fixed in version 4.0.0-beta.474 by introducing token expiration.
Potential Impact
The impact is limited to the confidentiality of the system since leaked API tokens could allow unauthorized access to the Coolify management interface or APIs until the token is manually revoked. There is no impact on integrity or availability. The CVSS score of 3.1 reflects a low severity due to the requirement for a leaked token and the lack of privilege escalation or denial of service.
Mitigation Recommendations
Upgrade to Coolify version 4.0.0-beta.474 or later, where Sanctum API tokens have expiration implemented. Until upgrading, manually revoke any leaked or suspicious API tokens to prevent indefinite access. No other vendor advisory or patch information is provided, so check official Coolify sources for updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-25T01:53:21.581Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4c745c27e9c79719d47771
Added to database: 07/07/2026, 03:37:00 UTC
Last enriched: 07/07/2026, 03:51:50 UTC
Last updated: 07/07/2026, 03:51:50 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.