← Back to CVEs
CVE-2025-64420
CRITICAL9.9
Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available.
CVE Details
CVSS v3.1 Score9.9
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published1/5/2026
Last Modified1/12/2026
Sourcenvd
Honeypot Sightings0
Affected Products
coollabs:coolify
Weaknesses (CWE)
CWE-522
References
https://github.com/coollabsio/coolify/security/advisories/GHSA-qwxj-qch7-whpc(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.