Coolify Vulnerabilities Allow Full Server Compromise

Coolify Discloses 11 Critical Flaws

Coolify, a self-hosting platform, has revealed 11 critical vulnerabilities, ranging in CVSS score up to 10.0, that could allow attackers to gain full control of compromised servers. These flaws, discovered by security researchers, include command injection and information disclosure vulnerabilities.

Why This Matters

Self-hosted platforms often present a larger attack surface due to reliance on individual administrators for patching and configuration. Ideal security models assume timely updates, but real-world deployment lags are common. The presence of 52,890 exposed Coolify hosts as of January 8, 2026, highlights the potential scale of impact if these vulnerabilities are exploited, potentially resulting in widespread infrastructure compromise and data breaches.

Key Insights

• 52,890: Number of exposed Coolify hosts as of January 8, 2026, according to Censys.
• Command Injection: Multiple vulnerabilities (CVE-2025-66209, CVE-2025-66210, etc.) allow attackers to execute arbitrary commands on the server, bypassing security controls.
• Root Key Disclosure: CVE-2025-64420 enables low-privileged users to view the root user’s private key, granting unauthorized SSH access.

Practical Applications

• Use Case: Organizations using Coolify for self-hosting applications must immediately update to the patched versions to prevent exploitation.
• Pitfall: Ignoring vulnerability disclosures in self-hosted software can lead to complete system takeover and data loss.

References:

• https://thehackernews.com/2026/01/coolify-discloses-11-critical-flaws.html