Coolify CVE Overview 2025/2026: Critical Vulnerabilities and Urgent Update Required
Running Coolify and need help with secure operations or updates? WZ-IT offers Coolify installation, maintenance, and security hardening. Schedule a free consultation: Book appointment.
Coolify is a popular self-hosted PaaS platform and alternative to Heroku, Netlify, or Vercel. The platform orchestrates deployments and server automation – which is exactly what makes the current security vulnerabilities so critical: Coolify inherently performs privileged operations, often with root privileges on the host system.
According to data from attack surface management platform Censys, as of January 8, 2026, there are 52,890 Coolify instances publicly accessible worldwide. Germany leads this statistic with 15,000 exposed hosts, followed by the USA (9,800), France (8,000), Brazil (4,200), and Finland (3,400).
No active attacks have been observed so far. Given the severity of the vulnerabilities – multiple CVEs with CVSS score 10.0 – an immediate update to at least version 4.0.0-beta.451 is strongly recommended.
Table of Contents
- Critical: RCE & Command Injection
- Account Takeover & Privilege Escalation
- Information Disclosure / Secret Leakage
- Client-Side: Stored XSS
- Older Relevant CVEs (2025)
- Affected Versions Overview
- Typical Attack Chains
- Hardening and Mitigation Recommendations
- Our Approach at WZ-IT
Critical: RCE & Command Injection
These CVEs are particularly critical because user input ends up unsanitized in shell commands – resulting in Remote Code Execution up to root.
| CVE | Vulnerability | Attack Vector | Impact | Affected Versions | Fix |
|---|---|---|---|---|---|
| CVE-2025-66209 | Command Injection in Database Backup (DB name unsanitized) | Remote, authenticated, DB backup permissions | RCE as root on managed servers | < 4.0.0-beta.451 | 4.0.0-beta.451 |
| CVE-2025-66210 | Command Injection in Database Import | Remote, authenticated, App/Service management rights | RCE as root | < 4.0.0-beta.451 | 4.0.0-beta.451 |
| CVE-2025-66211 | Command Injection via PostgreSQL Init Script Filename | Remote, authenticated, DB permissions | RCE as root | < 4.0.0-beta.451 | 4.0.0-beta.451 |
| CVE-2025-66212 | Command Injection via Dynamic Proxy Configuration Filename | Remote, authenticated, Server management rights | RCE as root | < 4.0.0-beta.451 | 4.0.0-beta.451 |
| CVE-2025-66213 | Command Injection via File Storage Directory Mount Path | Remote, authenticated, App/Service management rights | RCE as root | < 4.0.0-beta.451 | 4.0.0-beta.451 |
| CVE-2025-64419 | Unsanitized parameters from docker-compose.yaml | Supply-chain: victim creates app from attacker repo | Commands as root | < 4.0.0-beta.445 | 4.0.0-beta.445 |
| CVE-2025-64424 | Command Injection in Git source input fields | Remote, authenticated, low-priv member | RCE as root | ≤ 4.0.0-beta.434 | Patched |
| CVE-2025-59156 | Docker Compose Directive Injection (Host FS mount) | Remote, authenticated, low-priv member | Root-level RCE on host | < 4.0.0-beta.420.7 | 4.0.0-beta.420.7 |
| CVE-2025-59157 | Command Injection in Git Repository field | Remote, authenticated, member | RCE in deployment context | < 4.0.0-beta.420.7 | 4.0.0-beta.420.7 |
Core Problem: Multiple independent code paths (DB backup/import, proxy configuration, storage mounts, Git fields, Compose) implement the "User Input → Shell" pattern without sufficient validation.
Account Takeover & Privilege Escalation
These CVEs are particularly relevant for multi-user setups or when inviting users you don't fully trust.
| CVE | Vulnerability | Attack Vector | Impact | Affected Versions | Fix |
|---|---|---|---|---|---|
| CVE-2025-64421 | Invite flow: Member can invite themselves as Admin | Remote, authenticated, low-priv member | Privilege Escalation → Admin | ≤ 4.0.0-beta.434 | Patched |
| CVE-2025-64423 | Member can view Admin invitation links | Remote, authenticated, low-priv member | Privilege Escalation → Admin | ≤ 4.0.0-beta.434 | Patched |
| CVE-2025-64425 | Host Header Injection in password reset | Remote, no auth, user interaction required | Account Takeover via reset token | ≤ 4.0.0-beta.434 | Patched |
| CVE-2025-64422 | Rate-Limit Bypass at /login via X-Forwarded-For |
Remote, unauth, brute force possible | Increased risk of account compromise | from 4.0.0-beta.434 | Patched |
Information Disclosure / Secret Leakage
| CVE | Vulnerability | Attack Vector | Impact | Affected Versions | Fix |
|---|---|---|---|---|---|
| CVE-2025-64420 | Low-priv user can view root user's private key | Remote, authenticated, low-priv | SSH as root → full compromise | ≤ 4.0.0-beta.434 | Patched |
| CVE-2025-59955 | API leak: email_change_code via team member endpoints |
Remote, authenticated, team member | Unauthorized email change possible | ≤ 4.0.0-beta.420.8 | Unclear |
Client-Side: Stored XSS
| CVE | Vulnerability | Attack Vector | Impact | Affected Versions | Fix |
|---|---|---|---|---|---|
| CVE-2025-59158 | Stored XSS via Project Name | Remote, authenticated, low-priv member, admin performs delete action | Session hijacking in admin context | ≤ 4.0.0-beta.420.6 | 4.0.0-beta.420.7 |
Older Relevant CVEs (2025)
These CVEs are not the most recent but target the same fundamental class: missing authorization for sensitive operations.
| CVE | Vulnerability | Impact | Affected Versions | Fix |
|---|---|---|---|---|
| CVE-2025-22609 | Auth user can attach existing private key to own server config | Can lead to RCE/server compromise | < 4.0.0-beta.361 | 4.0.0-beta.361 |
| CVE-2025-22611 | Auth user can escalate roles (up to Owner) / remove others | Privilege escalation, control over team/instance | < 4.0.0-beta.361 | 4.0.0-beta.361 |
| CVE-2025-22612 | Auth user can read private keys in plaintext | Secret leakage → server compromise | < 4.0.0-beta.374 | 4.0.0-beta.374 |
Affected Versions Overview
| Version | Status |
|---|---|
| < 4.0.0-beta.361 | Critical – missing authorization for keys/roles |
| < 4.0.0-beta.374 | Critical – Private Key leakage |
| < 4.0.0-beta.420.7 | Critical – Compose Injection, Git-Repo Injection, XSS |
| < 4.0.0-beta.445 | Critical – docker-compose.yaml Command Injection |
| < 4.0.0-beta.451 | Critical – 5× Command Injection (DB, Proxy, Storage) |
| ≥ 4.0.0-beta.451 | Recommended – all known critical CVEs patched |
Typical Attack Chains
Without detailing exploits, attacks typically follow this pattern:
- Initial Access: Attacker gains low-priv access (Member) or exploits auth flow weakness (Invite/Reset/Brute force)
- Privilege Escalation / RCE: From Member context, achieves root Code Execution via Command Injection or Compose Injection
- Lateral Movement/Impact: Access to keys/host/SSH → compromise of additional systems
Hardening and Mitigation Recommendations
Patch/Upgrade (Priority 1)
Upgrade to ≥ 4.0.0-beta.451 is the most important step. This version fixes:
- All 5 critical Command Injection CVEs (66209-66213)
- docker-compose.yaml parameter issue (64419)
- Compose/Git-Repo Injection & Stored XSS (59156/59157/59158)
Defense-in-Depth (for Multi-User Setups)
- Configure RBAC restrictively: Keep member rights minimal; assign App/Service management only to trusted roles
- Secure invitation/reset flows: Strict link handling, host header validation, logging/alerting
- Brute force resilience: Enforce rate limits server-side via reverse proxy/WAF
- Key hygiene: Rotate private keys, minimize root SSH, separate keys per server/team
Network Level
- Don't expose Coolify admin interface publicly
- Restrict access via VPN or IP whitelist
- Set up monitoring for unusual API calls
Our Approach at WZ-IT
At WZ-IT, we help organizations run Coolify securely:
- Security Audit: Review of your existing Coolify installation for known vulnerabilities
- Managed Updates: Regular, tested updates without downtime
- Hardening: RBAC configuration, network segmentation, monitoring
- Installation: Secure new installation with best practices
Learn more about our Coolify services: Coolify Expertise | Installation & Setup
Further Resources
- Coolify: Deploy a Next.js App in 4 Steps – Our introduction guide
- Coolify Expertise at WZ-IT – Overview of our services
- Coolify Installation & Setup – On-Premise, Cloud & Hybrid
Conclusion: Coolify is a powerful tool for self-hosted deployments – but with great power comes great responsibility. The current CVEs demonstrate that consistent patching is essential for orchestration platforms. Update to ≥ 4.0.0-beta.451 and review your RBAC configuration.
Need help with updating or security hardening your Coolify instance? Contact us – we're happy to help.
Frequently Asked Questions
Answers to important questions about this topic
Currently, version 4.0.0-beta.451 or higher should be used. This version fixes all critical Command Injection CVEs (CVE-2025-66209 through CVE-2025-66213). Patches for older CVEs are available in earlier versions.
Most CVEs require authentication but can be exploited with low privileges (Member role). Some, like the Host Header Injection bug (CVE-2025-64425), don't require authentication but need user interaction.
The Command Injection CVEs (CVE-2025-66209 through CVE-2025-66213) all have a CVSS score of 10.0 and enable Remote Code Execution as root on the host system. An authenticated attacker can take over the entire server infrastructure.
As of January 2026, no active exploits in the wild are known. Given the severity (CVSS 10.0) and 52,890 publicly accessible instances worldwide, an immediate update is strongly recommended.
Let's Talk About Your Idea
Whether a specific IT challenge or just an idea – we look forward to the exchange. In a brief conversation, we'll evaluate together if and how your project fits with WZ-IT.
Trusted by leading companies
Timo Wevelsiep & Robin Zins
CEOs of WZ-IT