CVE-2026-34057
CoolLabs · Coolify
Coolify is susceptible to an OS Command Injection vulnerability that allows authenticated attackers to execute arbitrary system commands on the host server.
Executive summary
A critical OS Command Injection vulnerability in Coolify allows authenticated attackers to achieve remote code execution on the underlying host system.
Vulnerability
This vulnerability involves improper neutralization of special elements used in an OS command (CWE-78). An attacker with low-level authenticated access can manipulate input parameters to execute arbitrary commands with the privileges of the Coolify application.
Business impact
Successful exploitation of this vulnerability poses a severe risk to the confidentiality, integrity, and availability of the host environment. An attacker achieving remote code execution could gain full control over the server, leading to data exfiltration, lateral movement within the network, or total system compromise. Given the CVSS score of 8.8, this represents a high-severity threat that requires immediate attention.
Remediation
Immediate Action: Upgrade to Coolify version 4.0.0-beta.471 or later immediately to resolve the vulnerable code path.
Proactive Monitoring: Review application and system audit logs for suspicious process execution patterns or unexpected command-line arguments originating from the Coolify service account.
Compensating Controls: Ensure the Coolify application runs with the principle of least privilege, utilizing containerization or restricted service accounts to limit the impact of potential command execution.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The presence of an OS command injection vulnerability in a self-hosted management tool is highly dangerous. Administrators should prioritize upgrading their Coolify instances to version 4.0.0-beta.471 immediately to mitigate the risk of unauthorized system-level access.