CVE-2026-34153
CoolLabs · Coolify
Coolify is susceptible to an OS Command Injection vulnerability, allowing authenticated attackers to execute arbitrary system commands on the host server.
Executive summary
An OS command injection vulnerability in Coolify allows authenticated attackers to execute arbitrary code on the underlying host, posing a significant risk to the entire self-hosted environment.
Vulnerability
The application fails to properly neutralize special elements used in an OS command, enabling an authenticated user to perform OS command injection. This vulnerability requires a low-privilege authenticated session to initiate the attack.
Business impact
Successful exploitation of this vulnerability grants an attacker the ability to execute commands with the privileges of the Coolify application. Given the CVSS score of 8.8, this poses a high risk of full system compromise, unauthorized data access, and potential lateral movement into other databases or services managed by the platform.
Remediation
Immediate Action: Upgrade Coolify to version 4.0.0-beta.471 or later to implement the necessary input neutralization patches.
Proactive Monitoring: Review system and application access logs for unusual command executions or unexpected process spawning originating from the Coolify service account.
Compensating Controls: Ensure the Coolify instance is running in an isolated container with minimal host-level permissions to limit the impact of a potential container escape or code execution.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This vulnerability represents a critical security risk to the integrity of the host server. Administrators are urged to prioritize the update to the latest version immediately to eliminate the command injection vector.