Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances - The Hacker News

Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances Ravie LakshmananJan 08, 2026Vulnerability / Container Security Cybersecurity researchers have disclosed details of multiple critical-severity security flaws affecting Coolify, an open-source, self-hosting platform, that could result in authentication bypass and remote code execution. The list of vulnerabilities is as follows - CVE-2025-66209 (CVSS score: 10.0) - A command injection vulnerability in the database backup functionality allows any authenticated user with database backup permissions to execute arbitrary commands on the host server, resulting in container escape and full server compromise CVE-2025-66210 (CVSS score: 10.0) - An authenticated command injection vulnerability in the database import functionality allows attackers to execute arbitrary commands on managed servers, leading to full infrastructure compromise CVE-2025-66211 (CVSS score: 10.0) - A command injection vulnerability in the PostgreSQL init script management allows authenticated users with database permissions to execute arbitrary commands as root on the server CVE-2025-66212 (CVSS score: 10.0) - An authenticated command injection vulnerability in the Dynamic Proxy Configuration functionality allows users with server management permissions to execute arbitrary commands as root on managed servers CVE-2025-66213 (CVSS score: 10.0) - An authenticated command injection vulnerability in the File Storage Directory Mount functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers CVE-2025-64419 (CVSS score: 9.7) - A command injection vulnerability via docker-compose.yaml that enables attackers to execute arbitrary system commands as root on the Coolify instance CVE-2025-64420 (CVSS score: 10.0) - An information disclosure vulnerability that allows low-privileged users to view the private key of the root user on the Coolify instance, allowing them to gain unauthorized access to the server via SSH and authenticate as the root user using the key CVE-2025-64424 (CVSS score: 9.4) - A command injection vulnerability was found in the git source input fields of a resource, allowing a low-privileged user (member) to execute system commands as root on the Coolify instance CVE-2025-59156 (CVSS score: 9.4) - An operating system command injection vulnerability that allows a low-privileged user to inject arbitrary Docker Compose directives and achieve root-level command execution on the underlying host CVE-2025-59157 (CVSS score: 10.0) - An operating system command injection vulnerability that allows a regular user to inject arbitrary shell commands that execute on the underlying server by using the Git Repository field during deployment CVE-2025-59158 (CVSS score: 9.4) - An improper encoding or escaping of the data that allows an authenticated user with low privileges to conduct a stored cross-site scripting (XSS) attack during project creation that's automatically executed in the browser context when an administrator later attempts to delete the project or its associated resource The following versions are impacted by the shortcomings - CVE-2025-66209, CVE-2025-66210, CVE-2025-66211 - <= 4.0.0-beta.448 (Fixed in >= 4.0.0-beta.451) CVE-2025-66212, CVE-2025-66213 - <= 4.0.0-beta.450 (Fixed in >= 4.0.0-beta.451) CVE-2025-64419 - < 4.0.0-beta.436 (Fixed in >= 4.0.0-beta.445) CVE-2025-64420, CVE-2025-64424 - <= 4.0.0-beta.434 (Fix status unclear) CVE-2025-59156, CVE-2025-59157, CVE-2025-59158 - <= 4.0.0-beta.420.6 (Fixed in 4.0.0-beta.420.7) Source: Censys According to data from attack surface management platform Censys, there are about 52,890 exposed Coolify hosts as of January 8, 2026, with most of them located in Germany (15,000), the U.S. (9,800), France (8,000), Brazil (4,200), and Finland (3,400) While there are no indications that any of the flaws have been exploited in the wild, it's essential that users move quickly to apply the fixes as soon as possible in light of their severity. Update Aikido, which is credited with discovering and reporting some of the vulnerabilities, including CVE-2025-64420 and CVE-2025-64424, said they have been fixed following responsible disclosure. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Command Injection, Container Security, cybersecurity, DevOps, Open Source, remote code execution, Vulnerability, Web Application Security Trending News APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Load More ▼ Popular Resources Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026