Cybersecurity researchers have disclosed details of multiple critical-severity security flaws affecting Coolify, an open-source, self-hosting platform. The flaws could result in authentication bypass and remote code execution. There are about 52,890 exposed Coolify hosts as of January 8, 2026, with most of them located in the U.S. (15,800), France (8,000), Brazil (4,400), and Finland (3,200,000) There are no indications that any of the flaws have been exploited in the wild, but it's essential that users move as quickly to apply the fixes as soon as possible in light of their severity.

The following versions are impacted by the shortcomings: 4.0.0-beta.448 (Fixed in >= 4. 0.0 -beta.451) CVE-2025-66212 (CVSS score: 10.0) - An authenticated command injection vulnerability in the Dynamic Proxy Configuration.

On managed servers, this feature enables users with server management permissions to run any command as root. A low-privileged user (member) could run system commands asRoot on the Coolify instance thanks to a vulnerability discovered in the git source input fields of a resource. It was fixed in 4.3.0 (fixed in 2.4.4 and 2.5) and 4.1.6 (fixed in 4.2.4).5.)

The PostgreSQL init script management function, which permits authenticated users with database permissions to execute arbitrary commands on the host server, was found to have vulnerabilities. The most recent Coolify version (4.1) and the upcoming Apache Software Foundation version (3.3) have both addressed the vulnerabilities.