CVE-2026-34038
Coollabsio · Coolify
Coolify contains an authenticated remote command injection vulnerability in application deployment handling, allowing remote code execution and sensitive data exfiltration.
Executive summary
An authenticated remote code execution vulnerability in Coolify allows attackers with application write permissions to compromise host environments and exfiltrate sensitive configuration data.
Vulnerability
This is an OS command injection vulnerability triggered via application deployment fields like dockerfile_location and deployment commands. An attacker must possess authenticated application write permissions to exploit the flaw.
Business impact
The vulnerability carries a CVSS score of 9.9, reflecting its ability to grant full system control to an attacker. Successful exploitation allows for the exfiltration of environment variables, which often contain database credentials, API keys, and other sensitive infrastructure secrets, leading to a complete compromise of the hosted application stack.
Remediation
Immediate Action: Upgrade Coolify to version 4.0.0-beta.469 or later immediately to patch the command injection vulnerability.
Proactive Monitoring: Review deployment logs and audit application configuration changes for suspicious entries within the dockerfile_location or deployment command fields.
Compensating Controls: Implement strict Role-Based Access Control (RBAC) to limit the number of users with application write permissions until the patch is applied.
Exploitation status
Public Exploit Available: True
Analyst recommendation
The presence of a public exploit combined with the high CVSS score makes this a critical priority. Administrators must prioritize updating to version 4.0.0-beta.469 to prevent potential full-system compromise and data theft.