Coolify members can see private key of root user

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available.

AI Analysis

Low privileged users can see the private key of the root user, allowing them to ssh to the server and authenticate as root user.

Basic Information

ID CVE-2025-64420

Source GitHub_M

Published Jan 5, 2026 at 19:20

Modified Jan 5, 2026 at 19:30

Affected Product

Vendor coollabsio

Product coolify

Version <= 4.0.0-beta.434

Affected Versions coollabsio coolify <= 4.0.0-beta.434

CWE Classification

CWE-522

AI Assessment

AI Score 10 / 10

AI Severity Critical

Vendor coollabsio

Product Coolify

Version <= 4.0.0-beta.434

References

github.com /coollabsio/coolify/security/advisories/GHSA-qwxj-qch7-whpc

{
    "lastseen": "",
    "description": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available.",
    "published": "2026-01-05T19:20:24.392Z",
    "modified": "2026-01-05T19:30:10.050Z",
    "type": "cve",
    "title": "Coolify members can see private key of root user",
    "source": "GitHub_M",
    "references": "https://github.com/coollabsio/coolify/security/advisories/GHSA-qwxj-qch7-whpc",
    "id": "CVE-2025-64420",
    "bulletinFamily": "",
    "cwe": [
        "CWE-522"
    ],
    "cvelist": null,
    "sourceData": "coollabsio coolify <= 4.0.0-beta.434",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "coolify",
    "version": "<= 4.0.0-beta.434",
    "vendor": "coollabsio",
    "ai_description": "Low privileged users can see the private key of the root user, allowing them to ssh to the server and authenticate as root user.",
    "ai_severity": "Critical",
    "ai_vendor": "coollabsio",
    "ai_product": "Coolify",
    "ai_version": "<= 4.0.0-beta.434",
    "ai_score": 10
}

Coolify members can see private key of root user_CVE-2025-64420