Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Authenticated low-privilege user (PR:L) injects commands over the network with low complexity and no interaction, yielding full RCE on the managed host (C/I/A:H).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, pre-deployment and post-deployment commands are single-quote escaped but then sent through SSH heredoc transport that preserves newlines, allowing an authenticated user to inject additional shell statements that execute on the remote server during deployment. This issue is fixed in version 4.0.0-beta.471.
AnalysisAI
Command injection in Coolify before 4.0.0-beta.471 lets an authenticated user break out of the pre-deployment and post-deployment command fields and run arbitrary shell statements on the target deployment server. The supplied commands are single-quote escaped but then piped through an SSH heredoc transport that preserves newlines, so newline-delimited injected statements survive escaping and execute during deployment. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated Coolify account (PR:L) with permission to set a resource's pre-deployment or post-deployment command field, and requires that a deployment of that resource actually run so the injected heredoc payload is transported over SSH and executed on the managed remote server. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, 8.8) indicates a low-privilege authenticated user can achieve full CIA impact over the network with low complexity and no user interaction - a genuinely high-priority issue on any multi-user Coolify instance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a low-privileged but authenticated Coolify account creates or edits an application and sets a pre-deployment command containing a newline followed by an extra shell statement such as a reverse shell or credential-harvesting command. When the deployment runs, the single-quote escaping fails to neutralize the newline inside the SSH heredoc, so the injected statement executes on the remote managed server with the deployment process's privileges. … |
| Remediation | Vendor-released patch: upgrade Coolify to 4.0.0-beta.471 or later, which corrects how pre/post-deployment commands are handled before SSH heredoc transport (fix in PR #9173, commit ad95d65). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: restrict Coolify administrative access to essential personnel only; revoke unnecessary accounts and perform full audit of active user access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41990