CVE-2026-42143

CoolLabs · Coolify

Coolify is susceptible to an OS Command Injection vulnerability, permitting authenticated users to execute arbitrary commands on the host server.

Executive summary

An OS command injection vulnerability in Coolify allows authenticated attackers to execute arbitrary system commands, potentially leading to full server compromise.

Vulnerability

This is an OS Command Injection (CWE-78) vulnerability occurring when the application fails to properly sanitize user-supplied input before passing it to system-level commands. This requires the attacker to have an authenticated session to the Coolify interface.

Business impact

With a CVSS score of 8.8, this vulnerability represents a high-risk scenario for any organization utilizing Coolify for infrastructure management. Exploitation could result in a full compromise of the application server, enabling the attacker to manipulate managed databases or deploy malicious applications.

Remediation

Immediate Action: Update the Coolify installation to version 4.0.0-beta.471 or higher to patch the command injection vulnerability.

Proactive Monitoring: Monitor system audit logs for unauthorized command execution or unexpected spikes in CPU usage associated with the Coolify service.

Compensating Controls: Implement strict network segmentation to ensure the host system is not directly accessible from untrusted networks, reducing the attack surface.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Immediate patching is required to secure the environment. Organizations should verify that their instance of Coolify is updated to at least version 4.0.0-beta.471 to ensure this vulnerability is addressed.