A recent and comprehensive security disclosure has cast a harsh spotlight on the inherent risks of self-hosted infrastructure, revealing that the popular open-source platform Coolify contains a staggering 11 critical vulnerabilities that could allow attackers to achieve a full compromise of the underlying server. The gravity of this situation is underscored by the fact that the majority of these flaws have been assigned the highest possible Common Vulnerability Scoring System (CVSS) severity score of 10.0, indicating a catastrophic potential for damage. This discovery serves as a critical alert for all administrators running their own Coolify instances, as the vulnerabilities create a direct and, in some cases, trivial path for malicious actors to seize complete control of their systems. The breadth of the affected functionalities, from database management to application deployment, means that virtually no part of the platform is immune, demanding an immediate and decisive response from the user community to mitigate this pervasive threat before it can be exploited.
The Pervasive Threat of Command Injection
A unifying and deeply concerning theme across the majority of the discovered flaws is command injection, a classic yet devastating vulnerability class that allows attackers to execute arbitrary commands on the host operating system. Within Coolify, this weakness was found in several core functionalities accessible to authenticated users. For instance, the database management features were particularly susceptible, with critical injection flaws identified in backup processes (CVE-2025-66209), data import mechanisms (CVE-2025-66210), and even the handling of PostgreSQL initialization scripts (CVE-2025-66211). In each of these cases, a malicious actor with the necessary permissions to interact with these features could craft inputs that break out of the intended operational scope and instead execute system-level commands with root privileges. Similarly, high-impact injection vulnerabilities were uncovered in the Dynamic Proxy Configuration service (CVE-2025-66212) and the File Storage Directory Mount service (CVE-2025-66213), empowering users with specific management roles to take full control of any servers managed by the Coolify instance.
The danger of command injection extends beyond core system services and into the realm of user-provided configuration data, creating a low barrier to entry for privilege escalation. Several of the most severe vulnerabilities stem from Coolify’s improper sanitization and handling of configuration files and input fields. Attackers can achieve root-level command execution by embedding malicious commands within docker-compose.yaml files (CVE-2025-64419), which are then processed and executed by the system. A similar attack vector exists through the git source input fields (CVE-2025-64424, CVE-2025-59157) and Docker Compose directives (CVE-2025-59156), where carefully crafted inputs can trick the platform into running unauthorized code. What makes these particular vulnerabilities especially dangerous is that they can be exploited by users with standard, non-administrative privileges. This provides a remarkably straightforward pathway for a regular or member-level user to escalate their permissions to the highest level, effectively bypassing all intended security controls and gaining complete administrative control over the entire server infrastructure.
Beyond Injection Exploits and Global Exposure
While command injection represents the most common attack vector, the security audit also uncovered other types of critical vulnerabilities that offer alternative paths to a complete system takeover. One of the most alarming is an information disclosure flaw (CVE-2025-64420) that allows a low-privileged authenticated user to access the private SSH key belonging to the root user of the Coolify instance itself. This vulnerability is particularly potent because it circumvents the need for command execution entirely. By obtaining this key, an attacker can gain direct, authenticated root access to the server via SSH, enabling them to operate with full privileges and without leaving the typical traces of a command injection exploit. Separately, a stored cross-site scripting (XSS) vulnerability (CVE-2025-59158) was identified. This flaw allows an authenticated user to inject a malicious script during the project creation process. This script remains dormant until an administrator performs a subsequent action, such as deleting the project, at which point it executes within the context of the administrator’s browser, potentially leading to session hijacking or further system compromise.
The real-world implications of these vulnerabilities are magnified by the platform’s significant online footprint. According to data from the attack surface management platform Censys, approximately 52,890 Coolify hosts were exposed to the internet as of early 2026, creating a substantial pool of potential targets for malicious actors. The geographical distribution of these exposed instances is widespread, with the highest concentrations found in Germany, the United States, and France. The security flaws impact a range of Coolify v4.0.0 beta builds, specifically all versions leading up to 4.0.0-beta.450. In response to the disclosure, developers have issued patches in several subsequent releases, including versions 4.0.0-beta.420.7, 4.0.0-beta.445, and 4.0.0-beta.451. However, a degree of uncertainty remains, as the official patch status for two of the identified Common Vulnerabilities and Exposures (CVEs) has not yet been clarified. This situation underscores the urgent need for all administrators to verify their current version and apply the necessary updates to secure their deployments against potential compromise.
A Call for Urgent Remediation
The disclosure of these severe vulnerabilities served as a critical inflection point for the Coolify user base, compelling a swift and thorough response to secure their self-hosted environments. Although there were no public reports of these flaws being actively exploited in the wild at the time of the announcement, the extreme severity ratings and the potential for complete infrastructure compromise meant that inaction was not an option. The situation highlighted the essential need for administrators to move decisively to update their instances to the latest patched versions. This incident underscored a fundamental principle of open-source software security: the responsibility for maintaining a secure posture ultimately rests with the end-user. The detailed breakdown of the vulnerabilities provided a clear roadmap for remediation, and the immediate availability of patched versions offered a direct path to closing these dangerous security gaps before they could be weaponized by threat actors.
