CVE-2026-59734

Coollabs · Coolify

Coolify is vulnerable to OS Command Injection, allowing an authenticated user to execute arbitrary commands on the underlying server.

Executive summary

An OS command injection vulnerability in Coolify allows authenticated attackers to achieve remote code execution, posing a critical risk to self-hosted server environments.

Vulnerability

This vulnerability is an OS Command Injection (CWE-78) flaw. An attacker with low-level authenticated access can manipulate input parameters to inject and execute arbitrary system commands on the host server.

Business impact

Successful exploitation allows an attacker to gain full control over the server hosting the Coolify instance. With a CVSS score of 8.8, this vulnerability carries a high risk of total system compromise, unauthorized data access, and the potential for lateral movement into the wider network infrastructure.

Remediation

Immediate Action: Upgrade Coolify to version 4.0.0-beta.469 or later immediately to include the necessary input neutralization patches.

Proactive Monitoring: Review system and application logs for unusual process execution patterns or unexpected shell invocations originating from the Coolify service account.

Compensating Controls: Implement strict network segmentation and ensure the application runs with the least privilege necessary to limit the blast radius of a potential command injection.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the severity of potential remote code execution, administrators should prioritize updating their Coolify instances. Ensure that all security patches are applied and verify that the application is isolated from sensitive internal resources.