Skip to main content

Coolify CVE-2026-34153

| EUVDEUVD-2026-41952 HIGH
OS Command Injection (CWE-78)
2026-07-06 GitHub_M
8.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable web UI (AV:N) with a low-privileged authenticated account able to add file storage (PR:L), no interaction, and command injection yielding full host compromise (C/I/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 23:01 EUVD
Analysis Generated
Jul 06, 2026 - 22:33 vuln.today

DescriptionCVE.org

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, LocalFileVolume::saveStorageOnServer builds shell commands using unescaped fs_path and parent_dir values before validation, and submitFileStorage does not validate the user-controlled file-mount path before creating a volume, allowing an authenticated user who can add file storage to execute commands when the storage is saved. This issue is fixed in version 4.0.0-beta.471.

AnalysisAI

Authenticated command injection in Coolify (self-hostable PaaS) before 4.0.0-beta.471 lets any user with rights to add file storage execute arbitrary OS commands on the host. The LocalFileVolume::saveStorageOnServer routine assembles shell commands from user-controlled fs_path and parent_dir values without escaping, and submitFileStorage never validates the file-mount path before volume creation, so injected shell metacharacters run when the storage is saved. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Coolify with file-storage rights
Delivery
Create file volume with crafted mount path
Exploit
Inject shell metacharacters in fs_path/parent_dir
Execution
saveStorageOnServer runs unescaped command
Persist
Execute arbitrary commands on host
Impact
Compromise managed server

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Coolify account (PR:L) that has permission to add file storage / create a file-mount volume, and the attacker must be able to reach the Coolify web control plane over the network (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) indicates network-reachable, low-complexity exploitation requiring only low privileges and no user interaction, with full confidentiality, integrity, and availability impact - a serious rating for an authenticated flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds (or obtains) a low-privileged Coolify account with permission to add file storage creates a new persistent file volume and supplies a mount path containing shell metacharacters (for example a path with an embedded command substitution or ';' separator). When the storage is saved and saveStorageOnServer builds and runs the unescaped shell command, the injected commands execute on the managed host with the privileges of Coolify's provisioning process. …
Remediation Vendor-released patch: upgrade Coolify to 4.0.0-beta.471 or later, which adds validation/escaping of the file-mount path before the volume shell command is built (see advisory https://github.com/coollabsio/coolify/security/advisories/GHSA-46hp-7m8g-7622, PR https://github.com/coollabsio/coolify/pull/9176, commit 3fdce06b654fa3b7b4be59c0faaab6b4546c78de). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Immediately restrict file storage configuration permissions to administrative users only and audit all existing file storage mounts for suspicious paths. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-59157 CRITICAL POC
9.9 Jan 05

Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo

CVE-2025-66209 CRITICAL POC
9.9 Dec 23

A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application

CVE-2025-64420 CRITICAL POC
9.9 Jan 05

Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba

CVE-2026-57498 CRITICAL POC
9.6 Jun 29

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,

CVE-2025-64419 CRITICAL POC
9.6 Jan 05

Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap

CVE-2025-34161 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo

CVE-2025-34159 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d

CVE-2026-34594 HIGH POC
8.8 Jun 29

Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss

CVE-2026-34597 HIGH POC
8.8 Jun 29

Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica

CVE-2025-64424 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]

CVE-2025-59156 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0

CVE-2025-66211 HIGH POC
8.8 Dec 23

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers

Share

CVE-2026-34153 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy