CVE-2026-34034

CoolLabs · Coolify

Coolify contains an OS command injection vulnerability that allows an authenticated user to execute arbitrary commands on the host server.

Executive summary

An OS command injection vulnerability in Coolify allows authenticated attackers to execute arbitrary system commands, leading to potential full system compromise.

Vulnerability

This is an OS Command Injection vulnerability (CWE-78) triggered by the improper sanitization of inputs processed by the application. An authenticated user can leverage this flaw to run unauthorized commands on the underlying operating system.

Business impact

A CVSS score of 8.8 underscores the severity of this issue, as it allows attackers to bypass security controls and gain unauthorized access to the host server. This could lead to severe consequences, including data theft, manipulation of hosted databases, or the total loss of server availability.

Remediation

Immediate Action: Update Coolify to version 4.0.0-beta.466 or later to apply the security fix.

Proactive Monitoring: Continuously audit access logs for suspicious command patterns and monitor server performance for unauthorized background processes.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common shell injection signatures.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The risk posed by this OS command injection is severe and requires prompt attention. Security teams must ensure all Coolify deployments are patched to the fixed version to prevent authenticated actors from escalating their privileges to the OS level.