CVE-2026-34058
CoolLabs · Coolify
Coolify contains an OS Command Injection vulnerability allowing authenticated attackers to execute arbitrary commands on the host system via improper input neutralization.
Executive summary
An authenticated OS Command Injection vulnerability in Coolify permits remote code execution, posing a critical risk to host server security.
Vulnerability
This flaw is classified as CWE-78, where the application fails to properly sanitize user-supplied input before passing it to a system shell. Authenticated users can leverage this weakness to execute arbitrary OS commands, bypassing intended application restrictions.
Business impact
An attacker exploiting this vulnerability could gain unauthorized control over the server, potentially leading to the compromise of hosted databases and application data. With a CVSS score of 8.8, the potential for full system takeover makes this an urgent security concern for organizations relying on Coolify for infrastructure management.
Remediation
Immediate Action: Update the Coolify installation to version 4.0.0-beta.471 or higher to patch the command injection vulnerability.
Proactive Monitoring: Monitor system logs for unusual shell activity or unauthorized process spawning associated with the Coolify service.
Compensating Controls: Implement strict network segmentation and egress filtering to prevent the application from making unauthorized outbound connections if the server is compromised.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the high CVSS severity, failure to remediate this vulnerability exposes the entire server environment to potential takeover. Organizations must treat this as a high-priority update and apply the patch to all affected instances immediately.