Skip to main content
Security News Jul 07, 2026 by vuln.today Threat Intelligence

Critical Cross-Tenant Access Vulnerability in Coolify Self-Hosted PaaS - CVE-2026-34037

Related CVEs

Other CVEs in Same Group

CVE-2026-34047 CRITICAL 9.9

Privilege escalation via broken authorization in Coolify's self-hosted server/application management platform lets any authenticated low-privilege user reach terminal WebSocket functionality for resources outside their authorized scope, prior to version 4.0.0-beta.471. Because the terminal bootstrap routes skipped the expected authorization middleware, an attacker with a valid account can potentially execute commands on servers and containers they should not control. No public exploit identified at time of analysis, and there is no CISA KEV listing, but the fix is confirmed in release v4.0.0-beta.471.

CVE-2026-34048 CRITICAL 9.9

Improper authorization in Coolify's terminal websocket bootstrap routes lets any low-privileged team member execute arbitrary commands on team-managed servers, because the routes verify only that a request is authenticated but never check whether the caller is authorized to use the terminal. Affecting all Coolify versions prior to 4.0.0-beta.471, this CWE-285 flaw carries a critical 9.9 CVSS score with a scope change, effectively granting shell access to underlying infrastructure from a minimal application role. No public exploit identified at time of analysis, but the low complexity and low privilege bar make it a high-priority patch.

CVE-2026-34058 HIGH 8.8

OS command injection in Coolify's self-hosted server-management platform (all versions prior to 4.0.0-beta.471) lets any authenticated team member execute arbitrary shell commands on any managed remote server. The flaw lives in the Livewire Server\Resources component, whose public startUnmanaged/stopUnmanaged/restartUnmanaged methods take a browser-supplied container ID and interpolate it unescaped into SSH-executed shell commands. No public exploit identified at time of analysis and it is not in CISA KEV, but the trivially low complexity (CVSS 8.8) makes exploitation straightforward for anyone with a team account.

CVE-2026-34158 HIGH 8.8

OS command injection in Coolify, the open-source self-hostable server/application/database management PaaS, allows an authenticated user with permission to edit application settings (versions prior to 4.0.0-beta.469) to run arbitrary commands on the managed host. The flaw lives in the executeInDocker() helper, which wraps user-controlled values in single quotes without escaping embedded quotes, letting an attacker break out of the quoted shell context during deployments and escape the intended Docker container confinement. No public exploit identified at time of analysis; this is not listed in CISA KEV.

CVE-2026-34035 HIGH 8.8

OS command injection in Coolify (self-hosted server/application/database management platform) before 4.0.0-beta.466 lets an authenticated user execute arbitrary commands on the host by supplying log drain secret or environment values that are interpolated into shell commands without proper encoding. Because Coolify orchestrates the underlying host, the injected commands run with the platform's host-level context, effectively yielding host takeover. No public exploit identified at time of analysis; this is not in CISA KEV and no POC is referenced, so risk is driven by the ease of authenticated exploitation rather than confirmed in-the-wild activity.

CVE-2026-34057 HIGH 8.8

OS command injection in Coolify's self-hosted server/app management platform lets an authenticated user achieve remote code execution on the underlying host via a malicious database import container name. The database import Livewire component passes client-controlled container and server properties into shell commands without locking or validation, so any low-privileged authenticated user can inject arbitrary commands. Rated CVSS 8.8 and fixed in 4.0.0-beta.471; no public exploit identified at time of analysis and it is not listed in CISA KEV.

CVE-2026-34034 HIGH 8.8

Authenticated command injection in Coolify (self-hosted server/application/database management platform) before 4.0.0-beta.466 lets a user with access to a server's Sentinel settings embed shell metacharacters in the sentinel_token value, which is passed unsanitized into a shell command and executed on the host the next time Sentinel is restarted (CWE-78). The flaw yields full host command execution with confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the vendor has released a fixed build (v4.0.0-beta.466) with an available upstream commit.

CVE-2026-34044 HIGH 7.7

Cross-tenant log disclosure in Coolify (self-hosted PaaS) before 4.0.0-beta.466 lets any authenticated user read application logs belonging to other teams by supplying a victim resource's UUID. The Logs::mount() component resolves resources by UUID alone without verifying the caller's team ownership, breaking the multi-tenant isolation boundary. Rated CVSS 7.7 (CWE-639, IDOR); no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is a one-line-class authorization check that is trivially reversible from the public commit.

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy