CVE-2026-34158

CoolLabs · Coolify

Coolify is vulnerable to OS Command Injection, allowing an authenticated user to execute arbitrary commands on the underlying host system.

Executive summary

An OS command injection vulnerability in Coolify allows authenticated attackers to execute arbitrary system commands, posing a high risk to server integrity and data confidentiality.

Vulnerability

This vulnerability is an OS Command Injection (CWE-78) flaw that permits an authenticated user with low-level privileges to inject malicious commands into the host operating system. The vulnerability stems from improper neutralization of special elements used in system calls.

Business impact

The ability to execute arbitrary OS commands provides an attacker with a foothold on the server, potentially leading to full system compromise. With a CVSS score of 8.8, this high-severity vulnerability could result in unauthorized data exfiltration, service disruption, and the deployment of persistent malware within the infrastructure.

Remediation

Immediate Action: Upgrade Coolify to version 4.0.0-beta.469 or later to incorporate the necessary security patches.

Proactive Monitoring: Review system and application logs for unexpected shell process executions or irregular administrative activity.

Compensating Controls: Implement strict network segmentation and restrict access to the management interface to trusted IP addresses to limit the potential attack surface.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the high CVSS score of 8.8, this vulnerability represents a significant risk to the security of the host environment. Organizations should prioritize updating their Coolify instances to the latest available version immediately to remediate the command injection vector and prevent potential unauthorized remote code execution.