CVE-2026-42204
CoolLabs · Coolify
Coolify is susceptible to OS command injection, allowing authenticated attackers to execute arbitrary system commands via improper neutralization of special elements.
Executive summary
A high-severity OS command injection vulnerability in Coolify allows authenticated attackers to execute arbitrary system-level commands, posing a critical risk to server integrity.
Vulnerability
This vulnerability is an OS Command Injection (CWE-78) flaw. It requires an authenticated user to provide malicious input that is not properly sanitized, enabling the execution of unauthorized commands on the underlying host operating system.
Business impact
The exploitation of this flaw allows an attacker to gain full control over the server hosting Coolify. Given the CVSS score of 8.8, this represents a high risk of total system compromise, including unauthorized data access, modification of application databases, and potential lateral movement into the broader network infrastructure.
Remediation
Immediate Action: Update the Coolify instance to version 4.0.0-beta.474 or later immediately to incorporate the necessary security patches.
Proactive Monitoring: Monitor system logs for unusual process execution, unexpected shell commands, or unauthorized modifications to critical configuration files.
Compensating Controls: Implement strict network segmentation and ensure the Coolify service runs with the least-privileged user account necessary to limit the impact of potential command execution.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The ability to execute arbitrary OS commands is a critical security failure. Administrators must prioritize upgrading to version 4.0.0-beta.474 without delay. Failure to patch this vulnerability leaves the underlying server environment exposed to full administrative takeover.