CVE-2026-34035

CoolLabs · Coolify

Coolify is susceptible to an OS command injection vulnerability, enabling authenticated users to perform unauthorized command execution on the host machine.

Executive summary

An OS command injection vulnerability in Coolify allows authenticated attackers to execute arbitrary system commands, posing a substantial risk to the confidentiality and integrity of the system.

Vulnerability

This vulnerability is classified as an OS Command Injection (CWE-78) occurring when the application fails to properly validate user-supplied input before passing it to system-level commands. Authenticated users can exploit this to achieve unauthorized code execution.

Business impact

With a CVSS score of 8.8, the vulnerability presents a high risk of total system compromise. Successful exploitation could result in the breach of sensitive data, disruption of critical business services, and potential lateral movement within the network.

Remediation

Immediate Action: Upgrade to Coolify version 4.0.0-beta.466 or newer immediately.

Proactive Monitoring: Review logs for unusual system calls and monitor for unauthorized changes to system configurations or files.

Compensating Controls: Restrict administrative access to the Coolify dashboard using multi-factor authentication and IP allowlisting to mitigate the risk of unauthorized exploitation.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the critical nature of command injection flaws, immediate patching is necessary to secure the environment. Ensure that all affected Coolify instances are updated to the specified version to neutralize this high-severity threat.