CVE-2026-34152
CoolLabs · Coolify
Coolify is vulnerable to OS Command Injection, enabling authenticated attackers to execute arbitrary system commands through insecure input handling.
Executive summary
An authenticated OS Command Injection vulnerability in Coolify allows for remote code execution, threatening the integrity of the host environment.
Vulnerability
This vulnerability (CWE-78) occurs due to the improper neutralization of special characters in input fields, allowing an authenticated attacker to inject and execute OS-level commands. This effectively bypasses the application's intended functional boundaries.
Business impact
The ability to execute OS commands on the host server provides an attacker with broad capabilities, including data theft, privilege escalation, and persistent backdooring of the environment. The CVSS score of 8.8 highlights the high risk associated with this vulnerability, requiring prompt remediation to prevent unauthorized access to critical infrastructure.
Remediation
Immediate Action: Apply the vendor-provided update to version 4.0.0-beta.471 or later to remediate the command injection flaw.
Proactive Monitoring: Regularly audit server access logs and monitor for unexpected command execution or child processes being spawned by the application.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common shell injection patterns in request parameters.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This vulnerability represents a significant security risk for Coolify users. Administrators are strongly advised to perform the update to version 4.0.0-beta.471 across all environments to ensure protection against potential exploitation.