CVE-2026-34599
CoolLabs · Coolify
Coolify contains an OS command injection vulnerability that allows authenticated users to execute arbitrary system commands via improper input neutralization.
Executive summary
An OS command injection vulnerability in Coolify allows authenticated attackers to execute arbitrary system commands, potentially leading to a full host compromise.
Vulnerability
This vulnerability is caused by improper neutralization of special elements within OS commands. It allows a low-privilege authenticated attacker to escape intended command boundaries and execute arbitrary code on the host system.
Business impact
With a CVSS score of 8.8, this flaw presents a substantial risk to the security of the infrastructure. Unauthorized command execution can lead to data exfiltration, service disruption, and complete loss of control over the self-hosted environment.
Remediation
Immediate Action: Update the Coolify installation to version 4.0.0-beta.471 or later as specified in the vendor's security advisory.
Proactive Monitoring: Monitor the server for unauthorized shell access or unusual child processes spawned by the Coolify service.
Compensating Controls: Implement strict firewall rules to restrict network access to the Coolify administrative interface to trusted users only, reducing the attack surface.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the high CVSS severity, immediate patching is required. Administrators should verify their current version and apply the recommended update to mitigate the risk of remote command execution.