11 Critical Flaws in Coolify: How to Protect Your Self-Hosted Instances (2026)

Your self-hosted servers might be at grave risk, and you probably didn’t even know it. Coolify, a popular open-source self-hosting platform, has just disclosed 11 critical vulnerabilities that could allow attackers to fully compromise your servers. These flaws, ranging from command injection to information disclosure, are so severe that they’ve earned perfect 10.0 CVSS scores—the highest possible rating for security risks. But here’s where it gets even more alarming: these vulnerabilities aren’t just theoretical; they’re present in thousands of exposed hosts worldwide, with Germany, the U.S., France, Brazil, and Finland leading the pack.

Let’s break it down in a way that’s easy to understand, even if you’re not a cybersecurity expert. These vulnerabilities primarily revolve around command injection, a type of attack where malicious commands are inserted into otherwise harmless inputs. For instance, CVE-2025-66209 allows any authenticated user with database backup permissions to execute arbitrary commands on the host server, effectively bypassing container security and gaining full control. Similarly, CVE-2025-66210 lets attackers compromise entire infrastructures through the database import functionality. And this is the part most people miss: even low-privileged users can exploit flaws like CVE-2025-64420 to steal root user private keys, granting them unauthorized SSH access.

Here’s the full list of vulnerabilities, each with its own unique twist:

1. CVE-2025-66209 (CVSS: 10.0) - Command injection in database backups, leading to full server compromise.
2. CVE-2025-66210 (CVSS: 10.0) - Authenticated command injection in database imports, risking full infrastructure takeover.
3. CVE-2025-66211 (CVSS: 10.0) - Command injection in PostgreSQL init scripts, allowing root-level access.
4. CVE-2025-66212 (CVSS: 10.0) - Authenticated command injection in Dynamic Proxy Configuration, enabling root access on managed servers.
5. CVE-2025-66213 (CVSS: 10.0) - Command injection in File Storage Directory Mount, granting root access to attackers.
6. CVE-2025-64419 (CVSS: 9.7) - Command injection via docker-compose.yaml, allowing root-level system commands.
7. CVE-2025-64420 (CVSS: 10.0) - Information disclosure of root user private keys, enabling unauthorized SSH access.
8. CVE-2025-64424 (CVSS: 9.4) - Command injection in git source input fields, allowing low-privileged users to execute root commands.
9. CVE-2025-59156 (CVSS: 9.4) - OS command injection via Docker Compose directives, achieving root-level execution.
10. CVE-2025-59157 (CVSS: 10.0) - OS command injection using the Git Repository field during deployment, executing arbitrary shell commands.
11. CVE-2025-59158 (CVSS: 9.4) - Stored XSS vulnerability during project creation, automatically executed when an admin deletes the project.

But here’s the controversial part: While Coolify has released patches for most of these vulnerabilities, the fix status for CVE-2025-64420 and CVE-2025-64424 remains unclear. This ambiguity leaves thousands of users potentially exposed. Should open-source projects be held to stricter accountability standards when it comes to disclosing fix statuses? Let us know your thoughts in the comments.

The affected versions and their fixes are as follows:
- CVE-2025-66209, CVE-2025-66210, CVE-2025-66211: Fixed in versions >= 4.0.0-beta.451.
- CVE-2025-66212, CVE-2025-66213: Fixed in versions >= 4.0.0-beta.451.
- CVE-2025-64419: Fixed in versions >= 4.0.0-beta.445.
- CVE-2025-64420, CVE-2025-64424: Fix status unclear.
- CVE-2025-59156, CVE-2025-59157, CVE-2025-59158: Fixed in version 4.0.0-beta.420.7.

According to Censys, as of January 8, 2026, there are approximately 52,890 exposed Coolify hosts globally, with the majority concentrated in Germany (15,000), the U.S. (9,800), France (8,000), Brazil (4,200), and Finland (3,400). While there’s no evidence of active exploitation, the severity of these flaws demands immediate action. If you’re using Coolify, update your instance without delay.

Found this eye-opening? Stay ahead of the curve by following us on Google News, Twitter, and LinkedIn for more exclusive cybersecurity insights. And remember, in the world of self-hosting, vigilance isn’t just a recommendation—it’s a necessity.