CVE-2026-27882

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.461, the GitLab webhook endpoint uses a non-constant-time string comparison operator (!==) to validate the webhook secret token. This implementation is vulnerable to timing attacks, which could allow an attacker to gradually discover the secret token by measuring response time differences. This vulnerability is fixed in 4.0.0-beta.461.
Configurations

No configuration.

History

30 Jun 2026, 17:16

Type Values Removed Values Added
References () https://github.com/coollabsio/coolify/security/advisories/GHSA-x525-46rq-mr8c - () https://github.com/coollabsio/coolify/security/advisories/GHSA-x525-46rq-mr8c -

30 Jun 2026, 15:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-30 15:16

Updated : 2026-06-30 19:58


NVD link : CVE-2026-27882

Mitre link : CVE-2026-27882

CVE.ORG link : CVE-2026-27882


JSON object : View

Products Affected

No product.

CWE
CWE-208

Observable Timing Discrepancy