CVE-2026-42204

CoolLabs · Coolify

Coolify is susceptible to OS command injection, allowing authenticated attackers to execute arbitrary system commands via improper neutralization of special elements.

Executive summary

A high-severity OS command injection vulnerability in Coolify allows authenticated attackers to execute arbitrary system-level commands, posing a critical risk to server integrity.

Vulnerability

This vulnerability is an OS Command Injection (CWE-78) flaw. It requires an authenticated user to provide malicious input that is not properly sanitized, enabling the execution of unauthorized commands on the underlying host operating system.

Business impact

The exploitation of this flaw allows an attacker to gain full control over the server hosting Coolify. Given the CVSS score of 8.8, this represents a high risk of total system compromise, including unauthorized data access, modification of application databases, and potential lateral movement into the broader network infrastructure.

Remediation

Immediate Action: Update the Coolify instance to version 4.0.0-beta.474 or later immediately to incorporate the necessary security patches.

Proactive Monitoring: Monitor system logs for unusual process execution, unexpected shell commands, or unauthorized modifications to critical configuration files.

Compensating Controls: Implement strict network segmentation and ensure the Coolify service runs with the least-privileged user account necessary to limit the impact of potential command execution.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The ability to execute arbitrary OS commands is a critical security failure. Administrators must prioritize upgrading to version 4.0.0-beta.474 without delay. Failure to patch this vulnerability leaves the underlying server environment exposed to full administrative takeover.