CVE-2026-34034
CoolLabs · Coolify
Coolify contains an OS command injection vulnerability that allows an authenticated user to execute arbitrary commands on the host server.
Executive summary
An OS command injection vulnerability in Coolify allows authenticated attackers to execute arbitrary system commands, leading to potential full system compromise.
Vulnerability
This is an OS Command Injection vulnerability (CWE-78) triggered by the improper sanitization of inputs processed by the application. An authenticated user can leverage this flaw to run unauthorized commands on the underlying operating system.
Business impact
A CVSS score of 8.8 underscores the severity of this issue, as it allows attackers to bypass security controls and gain unauthorized access to the host server. This could lead to severe consequences, including data theft, manipulation of hosted databases, or the total loss of server availability.
Remediation
Immediate Action: Update Coolify to version 4.0.0-beta.466 or later to apply the security fix.
Proactive Monitoring: Continuously audit access logs for suspicious command patterns and monitor server performance for unauthorized background processes.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common shell injection signatures.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The risk posed by this OS command injection is severe and requires prompt attention. Security teams must ensure all Coolify deployments are patched to the fixed version to prevent authenticated actors from escalating their privileges to the OS level.