CVE-2026-34168

CoolLabs · Coolify

Coolify is vulnerable to OS Command Injection, allowing authenticated users to execute arbitrary commands on the underlying host system.

Executive summary

An OS command injection vulnerability in Coolify allows authenticated attackers to achieve remote code execution, posing a severe risk to host infrastructure.

Vulnerability

This vulnerability is an OS Command Injection (CWE-78) flaw that allows an authenticated user with low privileges to inject and execute arbitrary OS commands. The vulnerability exists due to improper neutralization of special elements used in system calls.

Business impact

Successful exploitation allows an attacker to gain unauthorized control over the server hosting Coolify. Given the high CVSS score of 8.8, this vulnerability could lead to complete system compromise, unauthorized data access, and the potential for lateral movement within the network.

Remediation

Immediate Action: Upgrade Coolify to version 4.0.0-beta.471 or later immediately to resolve the injection flaw.

Proactive Monitoring: Review system logs for suspicious process execution patterns or unexpected shell commands originating from the Coolify service account.

Compensating Controls: Ensure the Coolify service is running with the least privilege necessary on the host OS to limit the impact of potential command execution.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability presents a significant risk to the integrity and confidentiality of the host environment. Administrators should prioritize patching to version 4.0.0-beta.471 immediately to mitigate the risk of remote code execution.