CVE-2026-34058

CoolLabs · Coolify

Coolify contains an OS Command Injection vulnerability allowing authenticated attackers to execute arbitrary commands on the host system via improper input neutralization.

Executive summary

An authenticated OS Command Injection vulnerability in Coolify permits remote code execution, posing a critical risk to host server security.

Vulnerability

This flaw is classified as CWE-78, where the application fails to properly sanitize user-supplied input before passing it to a system shell. Authenticated users can leverage this weakness to execute arbitrary OS commands, bypassing intended application restrictions.

Business impact

An attacker exploiting this vulnerability could gain unauthorized control over the server, potentially leading to the compromise of hosted databases and application data. With a CVSS score of 8.8, the potential for full system takeover makes this an urgent security concern for organizations relying on Coolify for infrastructure management.

Remediation

Immediate Action: Update the Coolify installation to version 4.0.0-beta.471 or higher to patch the command injection vulnerability.

Proactive Monitoring: Monitor system logs for unusual shell activity or unauthorized process spawning associated with the Coolify service.

Compensating Controls: Implement strict network segmentation and egress filtering to prevent the application from making unauthorized outbound connections if the server is compromised.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the high CVSS severity, failure to remediate this vulnerability exposes the entire server environment to potential takeover. Organizations must treat this as a high-priority update and apply the patch to all affected instances immediately.