Skip to main content

Coolify CVE-2026-34038

| EUVDEUVD-2026-41943 CRITICAL
OS Command Injection (CWE-78)
2026-07-06 GitHub_M
9.9
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable dashboard (AV:N), trivial injection (AC:L), needs authenticated app-write user (PR:L), no interaction (UI:N); injection escapes app to host affecting other tenants (S:C) with full C/I/A loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jul 06, 2026 - 22:02 EUVD
Analysis Generated
Jul 06, 2026 - 21:42 vuln.today
CVE Published
Jul 06, 2026 - 20:48 cve.org
CRITICAL 9.9

DescriptionCVE.org

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allows users with application write permissions to achieve remote code execution and exfiltrate sensitive environment variables through deployment logs via fields such as dockerfile_location and deployment commands. This issue is fixed in version 4.0.0-beta.469.

AnalysisAI

Remote command injection in Coolify (self-hosted PaaS) before 4.0.0-beta.469 lets an authenticated user with application write permissions inject OS commands through deployment-handling fields such as dockerfile_location, achieving arbitrary code execution on the deployment host and exfiltrating secrets via deployment logs. The flaw scores CVSS 9.9 because command injection breaks out of the application context to compromise the underlying server (scope change), exposing environment variables and other applications' secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with application write permissions
Delivery
Inject shell metacharacters into dockerfile_location/deploy command
Exploit
Trigger application deployment
Execution
Coolify executes injected command on host
Persist
Read environment variables and run arbitrary code
Impact
Exfiltrate secrets via deployment logs

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Coolify account holding application write permissions on at least one application (PR:L) and the ability to modify deployment-related fields - specifically dockerfile_location or deployment commands - then trigger a deployment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue rather than an inflated high-CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A team member (or a compromised/low-trust account) that has been granted application write permissions on a shared Coolify instance edits an application's deployment settings, placing shell metacharacters and an injected command in the dockerfile_location or deployment command field. When the deployment runs, Coolify's build pipeline executes the injected command on the host, allowing the attacker to run arbitrary code and read environment variables of other applications, which are then visible in the deployment logs. …
Remediation Vendor-released patch: upgrade to Coolify 4.0.0-beta.469 or later (tagged release https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.469; advisory https://github.com/coollabsio/coolify/security/advisories/GHSA-qqrq-r9h4-x6wp). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit who has application write permissions in Coolify and implement principle of least privilege for access control. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-59157 CRITICAL POC
9.9 Jan 05

Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo

CVE-2025-66209 CRITICAL POC
9.9 Dec 23

A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application

CVE-2025-64420 CRITICAL POC
9.9 Jan 05

Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba

CVE-2026-57498 CRITICAL POC
9.6 Jun 29

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,

CVE-2025-64419 CRITICAL POC
9.6 Jan 05

Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap

CVE-2025-34161 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo

CVE-2025-34159 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d

CVE-2026-34594 HIGH POC
8.8 Jun 29

Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss

CVE-2026-34597 HIGH POC
8.8 Jun 29

Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica

CVE-2025-64424 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]

CVE-2025-59156 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0

CVE-2025-66211 HIGH POC
8.8 Dec 23

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers

Share

CVE-2026-34038 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy