CVE-2026-34153

CoolLabs · Coolify

Coolify is susceptible to an OS Command Injection vulnerability, allowing authenticated attackers to execute arbitrary system commands on the host server.

Executive summary

An OS command injection vulnerability in Coolify allows authenticated attackers to execute arbitrary code on the underlying host, posing a significant risk to the entire self-hosted environment.

Vulnerability

The application fails to properly neutralize special elements used in an OS command, enabling an authenticated user to perform OS command injection. This vulnerability requires a low-privilege authenticated session to initiate the attack.

Business impact

Successful exploitation of this vulnerability grants an attacker the ability to execute commands with the privileges of the Coolify application. Given the CVSS score of 8.8, this poses a high risk of full system compromise, unauthorized data access, and potential lateral movement into other databases or services managed by the platform.

Remediation

Immediate Action: Upgrade Coolify to version 4.0.0-beta.471 or later to implement the necessary input neutralization patches.

Proactive Monitoring: Review system and application access logs for unusual command executions or unexpected process spawning originating from the Coolify service account.

Compensating Controls: Ensure the Coolify instance is running in an isolated container with minimal host-level permissions to limit the impact of a potential container escape or code execution.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability represents a critical security risk to the integrity of the host server. Administrators are urged to prioritize the update to the latest version immediately to eliminate the command injection vector.