CVE-2026-42153
CoolLabs · Coolify
Coolify is vulnerable to an OS command injection flaw, allowing authenticated attackers to execute arbitrary code on the host operating system.
Executive summary
A critical OS command injection vulnerability in Coolify allows authenticated attackers to execute arbitrary system commands, resulting in a high risk of total system compromise.
Vulnerability
The application incorrectly handles special characters, which allows an authenticated attacker to inject and execute OS commands. This vulnerability leverages the application's internal functions to interact with the host system unexpectedly.
Business impact
The CVSS score of 8.8 underscores the severity of this vulnerability, which allows attackers to gain unauthorized control over the server environment. This could result in the compromise of sensitive credentials, data theft, or the use of the server in further malicious activities.
Remediation
Immediate Action: Upgrade to Coolify version 4.0.0-beta.474 or higher to resolve the underlying input validation issues.
Proactive Monitoring: Review application logs for input patterns containing shell metacharacters and monitor for suspicious unauthorized system processes.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common OS command injection patterns in HTTP requests.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Maintaining an outdated version of Coolify exposes the host environment to significant risk. It is imperative that administrators apply the provided security patch immediately to ensure the security of the application and the host server.