Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable web UI (AV:N) with a low-privileged authenticated account able to add file storage (PR:L), no interaction, and command injection yielding full host compromise (C/I/A:H).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, LocalFileVolume::saveStorageOnServer builds shell commands using unescaped fs_path and parent_dir values before validation, and submitFileStorage does not validate the user-controlled file-mount path before creating a volume, allowing an authenticated user who can add file storage to execute commands when the storage is saved. This issue is fixed in version 4.0.0-beta.471.
AnalysisAI
Authenticated command injection in Coolify (self-hostable PaaS) before 4.0.0-beta.471 lets any user with rights to add file storage execute arbitrary OS commands on the host. The LocalFileVolume::saveStorageOnServer routine assembles shell commands from user-controlled fs_path and parent_dir values without escaping, and submitFileStorage never validates the file-mount path before volume creation, so injected shell metacharacters run when the storage is saved. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Coolify account (PR:L) that has permission to add file storage / create a file-mount volume, and the attacker must be able to reach the Coolify web control plane over the network (AV:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) indicates network-reachable, low-complexity exploitation requiring only low privileges and no user interaction, with full confidentiality, integrity, and availability impact - a serious rating for an authenticated flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds (or obtains) a low-privileged Coolify account with permission to add file storage creates a new persistent file volume and supplies a mount path containing shell metacharacters (for example a path with an embedded command substitution or ';' separator). When the storage is saved and saveStorageOnServer builds and runs the unescaped shell command, the injected commands execute on the managed host with the privileges of Coolify's provisioning process. … |
| Remediation | Vendor-released patch: upgrade Coolify to 4.0.0-beta.471 or later, which adds validation/escaping of the file-mount path before the volume shell command is built (see advisory https://github.com/coollabsio/coolify/security/advisories/GHSA-46hp-7m8g-7622, PR https://github.com/coollabsio/coolify/pull/9176, commit 3fdce06b654fa3b7b4be59c0faaab6b4546c78de). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Immediately restrict file storage configuration permissions to administrative users only and audit all existing file storage mounts for suspicious paths. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41952