CVE-2026-42143
CoolLabs · Coolify
Coolify is susceptible to an OS Command Injection vulnerability, permitting authenticated users to execute arbitrary commands on the host server.
Executive summary
An OS command injection vulnerability in Coolify allows authenticated attackers to execute arbitrary system commands, potentially leading to full server compromise.
Vulnerability
This is an OS Command Injection (CWE-78) vulnerability occurring when the application fails to properly sanitize user-supplied input before passing it to system-level commands. This requires the attacker to have an authenticated session to the Coolify interface.
Business impact
With a CVSS score of 8.8, this vulnerability represents a high-risk scenario for any organization utilizing Coolify for infrastructure management. Exploitation could result in a full compromise of the application server, enabling the attacker to manipulate managed databases or deploy malicious applications.
Remediation
Immediate Action: Update the Coolify installation to version 4.0.0-beta.471 or higher to patch the command injection vulnerability.
Proactive Monitoring: Monitor system audit logs for unauthorized command execution or unexpected spikes in CPU usage associated with the Coolify service.
Compensating Controls: Implement strict network segmentation to ensure the host system is not directly accessible from untrusted networks, reducing the attack surface.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Immediate patching is required to secure the environment. Organizations should verify that their instance of Coolify is updated to at least version 4.0.0-beta.471 to ensure this vulnerability is addressed.