CVE-2026-59734
Coollabs · Coolify
Coolify is vulnerable to OS Command Injection, allowing an authenticated user to execute arbitrary commands on the underlying server.
Executive summary
An OS command injection vulnerability in Coolify allows authenticated attackers to achieve remote code execution, posing a critical risk to self-hosted server environments.
Vulnerability
This vulnerability is an OS Command Injection (CWE-78) flaw. An attacker with low-level authenticated access can manipulate input parameters to inject and execute arbitrary system commands on the host server.
Business impact
Successful exploitation allows an attacker to gain full control over the server hosting the Coolify instance. With a CVSS score of 8.8, this vulnerability carries a high risk of total system compromise, unauthorized data access, and the potential for lateral movement into the wider network infrastructure.
Remediation
Immediate Action: Upgrade Coolify to version 4.0.0-beta.469 or later immediately to include the necessary input neutralization patches.
Proactive Monitoring: Review system and application logs for unusual process execution patterns or unexpected shell invocations originating from the Coolify service account.
Compensating Controls: Implement strict network segmentation and ensure the application runs with the least privilege necessary to limit the blast radius of a potential command injection.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the severity of potential remote code execution, administrators should prioritize updating their Coolify instances. Ensure that all security patches are applied and verify that the application is isolated from sensitive internal resources.