CVE-2025-64420

CRITICAL

Coollabs Coolify < 4.0.0 - Insufficiently Protected Credentials

Title source: rule

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available.

References (1)

Scores

CVSS v3 9.9
EPSS 0.0005
EPSS Percentile 16.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Classification

CWE
CWE-522
Status published

Affected Products (50)

coollabs/coolify < 4.0.0
coollabs/coolify
coollabs/coolify
coollabs/coolify
coollabs/coolify
coollabs/coolify
coollabs/coolify
coollabs/coolify
coollabs/coolify
coollabs/coolify
coollabs/coolify
coollabs/coolify
coollabs/coolify
coollabs/coolify
coollabs/coolify
... and 35 more

Timeline

Published Jan 05, 2026
Tracked Since Feb 18, 2026