CO

Fixes

Summary

Coolify was auto-injecting env_file: [".env"] into every service in Docker Compose deployments, causing ALL environment variables to leak into EVERY container regardless of which service they were defined for.

Example of the security issue: In a Next.js + PostgreSQL + Redis stack, the Redis container has access to POSTGRES_PASSWORD and the PostgreSQL container can see OPENAI_API_KEY meant only for the app.

Per Docker Compose documentation, the .env file is used for YAML variable interpolation only (${VAR} substitution in the compose file), not for runtime environment injection into containers.

Root Cause

Three locations auto-injected .env into every service’s env_file:

  1. bootstrap/helpers/parsers.php — Application parser flow (line ~1322)
  2. bootstrap/helpers/parsers.php — Service parser flow (line ~2421)
  3. app/Jobs/ApplicationDeploymentJob.php — Compose deployment (line ~640)

Changes

  • Remove auto-injection of .env into env_file for all Compose services
  • Preserve any user-defined env_file entries (if users explicitly add env_file: [my-custom.env] in their compose, it is preserved)
  • Keep .env file generation for Docker Compose YAML variable interpolation (unchanged)
  • Keep single-container deployments unaffected (non-compose still uses .env)

Each service now only receives environment variables from its own environment: section, which is already populated per-service by the parsers with the correct variables.

How to Test

  1. Create a Docker Compose service with multiple containers (e.g., app + postgres + redis)
  2. Set environment variables on each service (e.g., POSTGRES_PASSWORD for postgres, API_KEY for app)
  3. Deploy and docker exec into each container
  4. Verify: env | grep POSTGRES_PASSWORD in the app container should return nothing
  5. Verify: env | grep API_KEY in the postgres container should return nothing
  6. Verify: Each container only has its own environment variables
  7. Verify: ${SERVICE_*} variable interpolation in compose YAML still works
  8. Verify: User-defined env_file: entries in compose are preserved

Breaking Change Note

Users who relied on the implicit behavior of all env vars being shared across all containers will need to explicitly add variables to each service’s environment: section or use env_file: in their compose file. This is the correct Docker Compose behavior.

Claim

Total prize pool $75
Total paid $0
Status Pending
Submitted March 02, 2026
Last updated March 02, 2026

Contributors

CW

cwanglab

@cwanglab

 100%

Sponsors

TO

Tom Adamczewski

@tadamcz

$75