cbcvebase.

Coollabsio Coolify vulnerabilities

37 known vulnerabilities affecting coollabsio/coolify.

Total CVEs
37
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH21MEDIUM12

Vulnerabilities

Page 1 of 2
CVE-2026-34594P2HIGHCVSS 8.8fixed in 4.0.0-beta.4712026-06-29
CVE-2026-34594 [HIGH] CWE-78 CVE-2026-34594: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, an authenticated command injection vulnerability in the Destination Network Management functionality allows users with destination management permissions to execute arbitrary commands as root on managed servers. The "network" para
nvd
CVE-2025-66209P2HIGHCVSS 8.8fixed in 4.0.0-beta.4512025-12-23
CVE-2025-66209 [HIGH] CWE-78 CVE-2025-66209: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Backup functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names us
nvd
CVE-2025-66212P2HIGHCVSS 8.8fixed in 4.0.0-beta.4512025-12-23
CVE-2025-66212 [HIGH] CWE-78 CVE-2025-66212: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Dynamic Proxy Configuration Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. P
nvd
CVE-2025-66213P2HIGHCVSS 8.8fixed in 4.0.0-beta.4512025-12-23
CVE-2025-66213 [HIGH] CWE-78 CVE-2025-66213: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers.
nvd
CVE-2025-66211P2HIGHCVSS 8.8fixed in 4.0.0-beta.4512025-12-23
CVE-2025-66211 [HIGH] CWE-78 CVE-2025-66211: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in PostgreSQL Init Script Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. PostgreSQL
nvd
CVE-2025-66210P2HIGHCVSS 8.8fixed in 4.0.0-beta.4512025-12-23
CVE-2025-66210 [HIGH] CWE-78 CVE-2025-66210: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names us
nvd
CVE-2025-64424P2HIGHCVSS 8.8≤ 4.0.0-beta.4342026-01-05
CVE-2025-64424 [HIGH] CWE-77 CVE-2025-64424: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in the git source input fields of a resource, allowing a low privileged user (member) to execute system commands as root on the Coolify instance. As of time
nvd
CVE-2026-34597P2HIGHCVSS 8.8fixed in 4.0.0-beta.4702026-06-29
CVE-2026-34597 [HIGH] CWE-78 CVE-2026-34597: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution (RCE) vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for the Nixpacks build pack. Specifically, the install_command pr
nvd
CVE-2025-22609P2CRITICALCVSS 10.0fixed in 4.0.0-beta.3612025-01-24
CVE-2025-22609 [CRITICAL] CWE-862 CVE-2025-22609: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to attach any existing private key on a coolify instance to his own server. If the server configuration of IP / domain, port (most likely 22) and user (root) mat
nvd
CVE-2025-22612P2CRITICALCVSS 10.0fixed in 4.0.0-beta.3742025-01-24
CVE-2025-22612 [CRITICAL] CWE-200 CVE-2025-22612: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.374, the missing authorization allows an authenticated user to retrieve any existing private keys on a coolify instance in plain text. If the server configuration of IP / domain, port (most likely 22) and user (root) match
nvd
CVE-2025-59157P2HIGHCVSS 8.8fixed in 4.0.0-beta.420.72026-01-05
CVE-2025-59157 [HIGH] CWE-78 CVE-2025-59157: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shell commands that execute on the underlying server durin
nvd
CVE-2025-59156P2HIGHCVSS 8.8fixed in 4.0.0-beta.420.72026-01-05
CVE-2025-59156 [HIGH] CWE-78 CVE-2025-59156: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. This flaw allows a low-privileged member to inject arbitrary Docker Compose directives during project creation or updates.
nvd
CVE-2026-27957P2HIGHCVSS 8.8fixed in 4.0.0-beta.4642026-06-30
CVE-2026-27957 [HIGH] CWE-78 CVE-2026-27957: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, an authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH user on the managed server host. As the SSH user typically
nvd
CVE-2026-57498P3CRITICALCVSS 9.6fixed in 4.0.0-beta.4742026-06-29
CVE-2026-57498 [CRITICAL] CWE-639 CVE-2026-57498: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId($teamId) before any operation. However, multiple Livewire web UI components accept server_id and destination_uuid from URL query parame
nvd
CVE-2025-22611P3CRITICALCVSS 9.9fixed in 4.0.0-beta.3612025-01-24
CVE-2025-22611 [CRITICAL] CWE-862 CVE-2025-22611: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to escalate his or any other team members privileges to any role, including the owner role. He's also able to kick every other member out of the team, including
nvd
CVE-2025-64420P3HIGHCVSS 8.8≤ 4.0.0-beta.4342026-01-05
CVE-2025-64420 [HIGH] CWE-522 CVE-2025-64420: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of t
nvd
CVE-2025-64423P3HIGHCVSS 8.8≤ 4.0.0-beta.4342026-01-05
CVE-2025-64423 [HIGH] CWE-287 CVE-2025-64423: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipient does, they are able to log in as an administrator, m
nvd
CVE-2025-64419P3HIGHCVSS 8.8fixed in 4.0.0-beta.4452026-01-05
CVE-2025-64419 [HIGH] CWE-77 CVE-2025-64419: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using build pack "docker compose"), the attacker can execute commands
nvd
CVE-2026-12815P3MEDIUMCVSS 6.3v4.0.02026-06-22
CVE-2026-12815 [MEDIUM] CWE-77 CVE-2026-12815: A vulnerability has been found in coollabsio coolify 4.0.0. Impacted is an unknown function of the c A vulnerability has been found in coollabsio coolify 4.0.0. Impacted is an unknown function of the component Image Name Handler. Such manipulation leads to os command injection. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way. The changelog for 4.1.2 mentions "[i]mproved ima
nvd
CVE-2025-64425P3HIGHCVSS 8.1≤ 4.0.0-beta.4342026-01-05
CVE-2025-64425 [HIGH] CWE-644 CVE-2025-64425: Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receive a password reset email, with a link to the malicious
nvd
Coollabsio Coolify vulnerabilities | cvebase