CVE-2026-42153

CoolLabs · Coolify

Coolify is vulnerable to an OS command injection flaw, allowing authenticated attackers to execute arbitrary code on the host operating system.

Executive summary

A critical OS command injection vulnerability in Coolify allows authenticated attackers to execute arbitrary system commands, resulting in a high risk of total system compromise.

Vulnerability

The application incorrectly handles special characters, which allows an authenticated attacker to inject and execute OS commands. This vulnerability leverages the application's internal functions to interact with the host system unexpectedly.

Business impact

The CVSS score of 8.8 underscores the severity of this vulnerability, which allows attackers to gain unauthorized control over the server environment. This could result in the compromise of sensitive credentials, data theft, or the use of the server in further malicious activities.

Remediation

Immediate Action: Upgrade to Coolify version 4.0.0-beta.474 or higher to resolve the underlying input validation issues.

Proactive Monitoring: Review application logs for input patterns containing shell metacharacters and monitor for suspicious unauthorized system processes.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common OS command injection patterns in HTTP requests.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Maintaining an outdated version of Coolify exposes the host environment to significant risk. It is imperative that administrators apply the provided security patch immediately to ensure the security of the application and the host server.