Hostzero Logo
Back to Articles

Is Coolify Safe? What the 2026 CVEs Mean — and How to Lock It Down

11 critical Coolify CVEs, five rated CVSS 10.0, 52,890 exposed instances — 15,000 in Germany. What happened, who is actually at risk, and a lock-down checklist.

Pascal Ehlert
July 2026
Bar chart: 52,890 publicly exposed Coolify instances in January 2026, Germany leading with 15,000 (Censys)

On January 8, 2026, Coolify disclosed eleven critical vulnerabilities in a single day. Five of them carry a CVSS score of 10.0 — authenticated command injection that ends with root access on the host. At the time of disclosure, Censys counted 52,890 Coolify dashboards reachable from the public internet. More of them stand in Germany than anywhere else: roughly 15,000.

So, is Coolify safe? The short answer: yes — if you operate it like the piece of critical infrastructure it is. The longer answer is what this article is for.

What actually happened

Coolify is an open-source, self-hosted PaaS — an alternative to Heroku, Vercel or Netlify that deploys applications and orchestrates servers for you. That job description matters for everything that follows: Coolify routinely performs privileged operations on your hosts, usually as root.

The January disclosure covered eleven CVEs. Grouped by class:


Class

CVEs

CVSS

Fixed in

Command injection (DB backup/import, PostgreSQL init, proxy config, storage mounts) — RCE as root

CVE-2025-66209 … 66213

10.0 (all five)

4.0.0-beta.451

Private key disclosure — low-privileged user can read the root SSH key and log in as root

CVE-2025-64420

10.0

patched (≤ beta.434 affected)

Injection via docker-compose.yaml and Git input fields — root RCE

CVE-2025-64419, -64424, -59156, -59157

9.4–10.0

beta.445 / beta.420.7

Stored XSS via project name — fires in the admin’s browser

CVE-2025-59158

9.4

beta.420.7

No exploitation in the wild was confirmed at disclosure, and none has been reported since (as of July 2026). With ~52,000 exposed instances that is not a reason to relax — it is a head start.

January was not the end of it. Further critical issues were disclosed through spring 2026 — a Sentinel-token injection leading to host RCE (CVE-2026-34034), command injection during deployment (CVE-2026-34038), an authorization bypass that let users reach other teams’ servers (CVE-2026-34592). Coolify has since left beta: after years of 4.0.0-beta.4xx builds, the first stable release, v4.0.0, shipped on April 27, 2026 — and the current v4.1.2 (June 2026) still carries a page-long list of security fixes. Patching Coolify is a treadmill, not a one-off event.

Timeline of Coolify CVE waves from 2025 to 2026: 11 critical CVEs disclosed January 8, 2026, fixed in 4.0.0-beta.451; further RCEs through spring 2026; first stable release v4.0.0 in April 2026, current version 4.1.2

Why this keeps happening — and why it doesn’t mean "Coolify is bad"

Coolify’s entire job is to take user input — a Git URL, a docker-compose file, a database name — and turn it into privileged operations on your servers. That is the largest attack surface a self-hosted tool can have. The recurring pattern across these CVEs is the same: user input reaches a shell without enough sanitization, in many independent code paths.

Add the feature velocity of a young product — every vulnerable version above still reads 4.0.0-beta.4xx, and the first stable release only shipped in April 2026 — and a small core team, and this class of bug will keep appearing. To be fair: the project patches quickly and works with security researchers through responsible disclosure — that part functions well.

The takeaway is not "avoid Coolify". It is: treat it like production infrastructure, not like a weekend tool.

The honest nuance: who is actually at risk

Most of the eleven January CVEs require authentication. If you are the only admin, nobody else has an account, and your dashboard is not reachable from the internet, an attacker needs your credentials before any of the CVSS-10.0 bugs matter. Your real-world risk is far lower than the headlines suggest.

The problem: real installations rarely look like that.

  • 52,890 dashboards were publicly reachable — 15,000 of them in Germany.
  • Unauthenticated vectors existed too: host-header injection in the password reset flow and a login rate-limit bypass.
  • In team setups, any low-privileged member had several paths to root — including simply reading the root user’s SSH private key.
  • The stored XSS lets a low-privileged user plant a payload that executes in the admin’s browser.

If any of these describe your setup, "it requires auth" is not a defense.

Split illustration: publicly exposed Coolify dashboard versus hardened setup behind VPN

The lock-down checklist

Do this even if you never talk to us:

1. Update — and keep updating.
4.0.0-beta.451 is the bare minimum; better, run the current stable release — v4.1.2 as of July 2026. Coolify left beta with v4.0.0 on April 27, 2026, and 4.1.2 alone ships another long list of security fixes. Subscribe to the GitHub security advisories for the repository — new critical CVEs have appeared every few months.

2. Take the dashboard off the public internet.
VPN (WireGuard/Tailscale) or a strict IP allowlist. Most of the January risk disappears with this one step.

3. Rotate secrets if you ever ran ≤ beta.434.
Private keys were readable by low-privileged users. Rotate SSH keys, API tokens and database credentials — updating does not un-leak anything.

4. Minimal RBAC.
Every member account was a potential root shell. Grant app/server management rights only to people you would give root anyway.

5. Separate the control plane.
Where possible, run Coolify on its own host, not next to your production workloads. It limits the blast radius when — not if — the next CVE lands.

6. Monitor.
Alert on unusual API calls, new SSH keys and config changes on the Coolify host.

7. Keep backups off the Coolify host.
A root compromise of the control plane must not take your backups with it.

When self-hosted Coolify is a fine choice

We are not here to talk you out of a tool that fits. Keep running Coolify yourself if:

  • It hosts side projects, internal tools or staging — nothing a customer or regulator would ask about.
  • You are a single admin, the dashboard sits behind a VPN, and updates get applied within days, not months.
  • You genuinely enjoy operating it — many people do, it is a good product.

When it stops being fine

The calculation changes when:

  • Customer data or production workloads for a company run on it — especially under GDPR, or if you are in scope for NIS2.
  • Several people have accounts. Every one of them was one CVE away from root this January.
  • The question "who applies a critical patch within 24 hours, including during vacations?" has no answer.

The software is free; the operational duty is not. This is the same argument we make about running alpha-stage storage: someone has to absorb the risk. Either your team does — with update discipline, monitoring and on-call — or you pay someone to do it.

What we do

Hostzero runs open-source infrastructure for EU companies from our Frankfurt data center. For Coolify setups that have outgrown DIY, that means: a security audit of your existing instance (exposure, versions, RBAC, secret rotation), hardened managed operations — VPN-only dashboard, monitoring, patches applied on SLA — or, where it fits better, migration to a platform we already operate at scale.

Talk to an engineer — 30 minutes, no sales pitch. Describe your setup and we will tell you honestly whether the checklist above is all you need.

Frequently Asked Questions

Is Coolify safe to use in 2026?
Yes, with conditions: run the latest version, keep the dashboard off the public internet, rotate secrets if you ran a vulnerable version, and make sure someone owns patching. The project itself is actively maintained and fixes vulnerabilities fast.

Which version fixes the vulnerabilities?
4.0.0-beta.451 closed the January 2026 wave; later issues were fixed in subsequent releases. Coolify has since left beta — as of July 2026 the current release is v4.1.2. Run the latest stable version and check the project’s security advisories.

Have the Coolify vulnerabilities been exploited?
No exploitation in the wild has been confirmed as of July 2026. With ~52,000 publicly reachable instances, assume scanners are looking anyway.

I run Coolify alone, as a single user. Am I affected?
Your risk is much lower — most CVEs need an authenticated user. But the password-reset and rate-limit issues were unauthenticated, so an exposed dashboard is still a risk. Put it behind a VPN.

Should a company use Coolify in production? The category is not the problem; operations are. If you are in GDPR or NIS2 scope, run it with the same rigor as any tool that holds root on your servers — or have it run for you.

Have questions about this topic?

Our experts are happy to advise you on your individual strategy.

Schedule a consultation