CVE-2026-34152

CoolLabs · Coolify

Coolify is vulnerable to OS Command Injection, enabling authenticated attackers to execute arbitrary system commands through insecure input handling.

Executive summary

An authenticated OS Command Injection vulnerability in Coolify allows for remote code execution, threatening the integrity of the host environment.

Vulnerability

This vulnerability (CWE-78) occurs due to the improper neutralization of special characters in input fields, allowing an authenticated attacker to inject and execute OS-level commands. This effectively bypasses the application's intended functional boundaries.

Business impact

The ability to execute OS commands on the host server provides an attacker with broad capabilities, including data theft, privilege escalation, and persistent backdooring of the environment. The CVSS score of 8.8 highlights the high risk associated with this vulnerability, requiring prompt remediation to prevent unauthorized access to critical infrastructure.

Remediation

Immediate Action: Apply the vendor-provided update to version 4.0.0-beta.471 or later to remediate the command injection flaw.

Proactive Monitoring: Regularly audit server access logs and monitor for unexpected command execution or child processes being spawned by the application.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common shell injection patterns in request parameters.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability represents a significant security risk for Coolify users. Administrators are strongly advised to perform the update to version 4.0.0-beta.471 across all environments to ensure protection against potential exploitation.