Critical Coolify Flaws Enable Full Server Compromise on Self-Hosted Instances

Timeline

1. 08.01.2026 11:53 1 articles · 23h ago

   Eleven Critical Coolify Flaws Disclosed

   On January 8, 2026, cybersecurity researchers disclosed eleven critical vulnerabilities in Coolify, an open-source self-hosting platform. These flaws enable authentication bypass and remote code execution on self-hosted instances, potentially leading to full server compromise. The vulnerabilities affect various functionalities, including database management, proxy configuration, and file storage. The affected versions and fixes are specified, with some versions having unclear fix statuses. As of the disclosure date, there are approximately 52,890 exposed Coolify hosts worldwide, primarily in Germany, the U.S., France, Brazil, and Finland. While no exploitation in the wild has been reported, users are urged to apply patches promptly due to the severity of the flaws.

   Show sources

   • Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances — thehackernews.com — 08.01.2026 11:53

   Open in new tab

Information Snippets

• CVE-2025-66209: Command injection in database backup functionality allows authenticated users to execute arbitrary commands on the host server, leading to container escape and full server compromise.

  First reported: 08.01.2026 11:53
  1 source, 1 article
  Show sources

  • Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances — thehackernews.com — 08.01.2026 11:53

• CVE-2025-66210: Authenticated command injection in database import functionality allows attackers to execute arbitrary commands on managed servers, resulting in full infrastructure compromise.

  First reported: 08.01.2026 11:53
  1 source, 1 article
  Show sources

  • Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances — thehackernews.com — 08.01.2026 11:53

• CVE-2025-66211: Command injection in PostgreSQL init script management allows authenticated users with database permissions to execute arbitrary commands as root on the server.

  First reported: 08.01.2026 11:53
  1 source, 1 article
  Show sources

  • Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances — thehackernews.com — 08.01.2026 11:53

• CVE-2025-66212: Authenticated command injection in Dynamic Proxy Configuration functionality allows users with server management permissions to execute arbitrary commands as root on managed servers.

  First reported: 08.01.2026 11:53
  1 source, 1 article
  Show sources

  • Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances — thehackernews.com — 08.01.2026 11:53

• CVE-2025-66213: Authenticated command injection in File Storage Directory Mount functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers.

  First reported: 08.01.2026 11:53
  1 source, 1 article
  Show sources

  • Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances — thehackernews.com — 08.01.2026 11:53

• CVE-2025-64419: Command injection via docker-compose.yaml enables attackers to execute arbitrary system commands as root on the Coolify instance.

  First reported: 08.01.2026 11:53
  1 source, 1 article
  Show sources

  • Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances — thehackernews.com — 08.01.2026 11:53

• CVE-2025-64420: Information disclosure vulnerability allows low-privileged users to view the private key of the root user, enabling unauthorized SSH access and root authentication.

  First reported: 08.01.2026 11:53
  1 source, 1 article
  Show sources

  • Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances — thehackernews.com — 08.01.2026 11:53

• CVE-2025-64424: Command injection in git source input fields allows low-privileged users to execute system commands as root on the Coolify instance.

  First reported: 08.01.2026 11:53
  1 source, 1 article
  Show sources

  • Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances — thehackernews.com — 08.01.2026 11:53

• CVE-2025-59156: Operating system command injection allows low-privileged users to inject arbitrary Docker Compose directives and achieve root-level command execution on the underlying host.

  First reported: 08.01.2026 11:53
  1 source, 1 article
  Show sources

  • Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances — thehackernews.com — 08.01.2026 11:53

• CVE-2025-59157: Operating system command injection allows regular users to inject arbitrary shell commands that execute on the underlying server using the Git Repository field during deployment.

  First reported: 08.01.2026 11:53
  1 source, 1 article
  Show sources

  • Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances — thehackernews.com — 08.01.2026 11:53

• CVE-2025-59158: Improper encoding or escaping of data allows authenticated users with low privileges to conduct stored cross-site scripting (XSS) attacks during project creation, automatically executed when an administrator attempts to delete the project or its associated resource.

  First reported: 08.01.2026 11:53
  1 source, 1 article
  Show sources

  • Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances — thehackernews.com — 08.01.2026 11:53

• Approximately 52,890 exposed Coolify hosts are identified as of January 8, 2026, with the majority located in Germany, the U.S., France, Brazil, and Finland.

  First reported: 08.01.2026 11:53
  1 source, 1 article
  Show sources

  • Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances — thehackernews.com — 08.01.2026 11:53