Improper Access Control in Coolify Affects Self-Hosted Server Management Tool
CVE-2025-64420

10CRITICAL

Key Information:

Vendor

Coollabsio

Status
Coolify
Vendor
CVE Published:
5 January 2026

Badges

๐Ÿ“ฐ News Worthy

What is CVE-2025-64420?

Coolify is an open-source tool that allows users to manage servers, applications, and databases. In certain versions (up to v4.0.0-beta.434), a flaw in the access control mechanism permits low-privileged users to view the private key associated with the root user account. This exposure enables unauthorized SSH access to the server, allowing such users to authenticate as the root user. As of the latest information, there is no available patch to remediate this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

coolify <= 4.0.0-beta.434

News Articles

favicon imageCyber Press

Coolify Self-Hosting Platform Vulnerabilities Allow Attackers to Execute Arbitrary System Commands

The vulnerabilities pose severe risks to organizations deploying Coolify instances, particularly those exposed to the internet.

References

https://github.com/coollabsio/coolify/security/advisories...
x_refsource_CONFIRM

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • ๐Ÿ“ฐ

    First article discovered by Cyber Press

  • Vulnerability published

  • Vulnerability Reserved

JSON
.