Skip to main content
16 CVEs CRITICAL CVSS 9.9

Coolify Server Management Platform Multiple Flaws

2026-07-07

CVE-2026-34048 CRITICAL PATCH

Improper authorization in Coolify's terminal websocket bootstrap routes lets any low-privileged team member execute arbitrary commands on team-managed servers, because the routes verify only that a request is authenticated but never check whether the caller is authorized to use the terminal. Affecting all Coolify versions prior to 4.0.0-beta.471, this CWE-285 flaw carries a critical 9.9 CVSS score with a scope change, effectively granting shell access to underlying infrastructure from a minimal application role. No public exploit identified at time of analysis, but the low complexity and low privilege bar make it a high-priority patch.

9.9
CVSS
0.4%
EPSS
CVE-2026-34037 CRITICAL PATCH

Cross-tenant resource access in Coolify (self-hosted PaaS) before 4.0.0-beta.464 lets an authenticated user of one team clone resources into, and access resources owned by, other teams. The cloneTo() Livewire action in ResourceOperations.php checks authorization on the source resource but resolves destination resources with unscoped Eloquent lookups, breaking multi-tenant isolation. Rated CVSS 9.9 with scope change; no public exploit identified at time of analysis, but a fixing commit and vendor advisory are published.

9.9
CVSS
0.2%
EPSS
CVE-2026-34047 CRITICAL PATCH

Privilege escalation via broken authorization in Coolify's self-hosted server/application management platform lets any authenticated low-privilege user reach terminal WebSocket functionality for resources outside their authorized scope, prior to version 4.0.0-beta.471. Because the terminal bootstrap routes skipped the expected authorization middleware, an attacker with a valid account can potentially execute commands on servers and containers they should not control. No public exploit identified at time of analysis, and there is no CISA KEV listing, but the fix is confirmed in release v4.0.0-beta.471.

9.9
CVSS
0.4%
EPSS
CVE-2026-34058 HIGH PATCH

OS command injection in Coolify's self-hosted server-management platform (all versions prior to 4.0.0-beta.471) lets any authenticated team member execute arbitrary shell commands on any managed remote server. The flaw lives in the Livewire Server\Resources component, whose public startUnmanaged/stopUnmanaged/restartUnmanaged methods take a browser-supplied container ID and interpolate it unescaped into SSH-executed shell commands. No public exploit identified at time of analysis and it is not in CISA KEV, but the trivially low complexity (CVSS 8.8) makes exploitation straightforward for anyone with a team account.

8.8
CVSS
0.4%
EPSS
CVE-2026-34158 HIGH PATCH

OS command injection in Coolify, the open-source self-hostable server/application/database management PaaS, allows an authenticated user with permission to edit application settings (versions prior to 4.0.0-beta.469) to run arbitrary commands on the managed host. The flaw lives in the executeInDocker() helper, which wraps user-controlled values in single quotes without escaping embedded quotes, letting an attacker break out of the quoted shell context during deployments and escape the intended Docker container confinement. No public exploit identified at time of analysis; this is not listed in CISA KEV.

8.8
CVSS
0.4%
EPSS
CVE-2026-34035 HIGH PATCH

OS command injection in Coolify (self-hosted server/application/database management platform) before 4.0.0-beta.466 lets an authenticated user execute arbitrary commands on the host by supplying log drain secret or environment values that are interpolated into shell commands without proper encoding. Because Coolify orchestrates the underlying host, the injected commands run with the platform's host-level context, effectively yielding host takeover. No public exploit identified at time of analysis; this is not in CISA KEV and no POC is referenced, so risk is driven by the ease of authenticated exploitation rather than confirmed in-the-wild activity.

8.8
CVSS
0.3%
EPSS
CVE-2026-34057 HIGH PATCH

OS command injection in Coolify's self-hosted server/app management platform lets an authenticated user achieve remote code execution on the underlying host via a malicious database import container name. The database import Livewire component passes client-controlled container and server properties into shell commands without locking or validation, so any low-privileged authenticated user can inject arbitrary commands. Rated CVSS 8.8 and fixed in 4.0.0-beta.471; no public exploit identified at time of analysis and it is not listed in CISA KEV.

8.8
CVSS
0.3%
EPSS
CVE-2026-34034 HIGH PATCH

Authenticated command injection in Coolify (self-hosted server/application/database management platform) before 4.0.0-beta.466 lets a user with access to a server's Sentinel settings embed shell metacharacters in the sentinel_token value, which is passed unsanitized into a shell command and executed on the host the next time Sentinel is restarted (CWE-78). The flaw yields full host command execution with confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the vendor has released a fixed build (v4.0.0-beta.466) with an available upstream commit.

8.8
CVSS
0.4%
EPSS
CVE-2026-34044 HIGH PATCH

Cross-tenant log disclosure in Coolify (self-hosted PaaS) before 4.0.0-beta.466 lets any authenticated user read application logs belonging to other teams by supplying a victim resource's UUID. The Logs::mount() component resolves resources by UUID alone without verifying the caller's team ownership, breaking the multi-tenant isolation boundary. Rated CVSS 7.7 (CWE-639, IDOR); no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is a one-line-class authorization check that is trivially reversible from the public commit.

7.7
CVSS
0.2%
EPSS
CVE-2026-34198 MEDIUM PATCH

Password reset poisoning in Coolify prior to 4.0.0-beta.471 enables unauthenticated account takeover by injecting a forged X-Forwarded-Host header during a password reset request. Two compounding middleware failures make this possible: TrustProxies trusts all proxy sources unconditionally, and TrustHosts is rendered inoperable by a circular caching dependency, meaning the Host header is never validated. The reset URL is generated from the spoofed request host, so the victim's reset token is delivered to an attacker-controlled domain. No public exploit is identified at time of analysis, but the attack is low-friction and the fix is confirmed in version 4.0.0-beta.471.

5.3
CVSS
0.1%
EPSS
CVE-2026-42147 MEDIUM PATCH

Server-Side Request Forgery (SSRF) in Coolify prior to v4.0.0-beta.474 enables an authenticated user holding storage management permissions to coerce the application server into issuing HTTP requests to arbitrary internal addresses, including cloud instance metadata services. The vulnerable code path is Coolify's S3 storage endpoint testConnection() function, which blindly fetches the caller-supplied URL after only superficial format validation. No public exploit or CISA KEV listing exists at time of analysis, but cloud-hosted deployments face elevated risk because successful exploitation can expose cloud provider credentials via metadata endpoints such as AWS IMDSv1.

4.9
CVSS
0.3%
EPSS
CVE-2026-34170 MEDIUM PATCH

Server-Side Request Forgery (SSRF) in Coolify's GitHub App integration exposes internal network services and cloud metadata endpoints to authenticated low-privilege users. Versions prior to 4.0.0-beta.471 allow any authenticated user to set the GithubApp api_url field to an arbitrary URL - including RFC 1918 private addresses or cloud instance metadata endpoints like 169.254.169.254 - which Coolify then fetches server-side without restriction. No public exploit identified at time of analysis, but the attack pattern is well understood and particularly dangerous in cloud-hosted deployments where metadata endpoints may expose IAM credentials.

4.3
CVSS
0.2%
EPSS
CVE-2026-42201 LOW PATCH

OS command injection in Coolify's database service configuration API allows authenticated administrators to execute arbitrary shell commands within Docker container contexts by embedding shell metacharacters into database credential fields. All Coolify versions prior to 4.0.0-beta.474 are affected, covering deployments managing Redis, KeyDB, Dragonfly, ClickHouse, PostgreSQL, and MySQL services. No public exploit code has been identified at time of analysis, and the CVSS PR:H requirement confines the attack surface to already-privileged admin accounts, positioning this as a post-compromise escalation risk rather than an initial access vector.

3.3
CVSS
0.2%
EPSS
CVE-2026-34149 LOW PATCH

Command injection in Coolify's DatabaseBackupJob allows authenticated users holding database management permissions to execute arbitrary OS commands on managed servers by embedding shell metacharacters in database credentials or MongoDB collection exclusion names. All Coolify releases prior to 4.0.0-beta.471 are affected. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV; however, the practical impact substantially exceeds the official CVSS 3.3 Low rating because successful exploitation grants attacker-controlled shell execution on production infrastructure managed by the platform.

3.3
CVSS
0.2%
EPSS
CVE-2026-42145 LOW PATCH

Coolify's database backup restore file upload endpoint accepts uploads without enforcing any file type or size constraints, enabling an authenticated user to degrade service availability by uploading oversized or unexpected files. All releases prior to 4.0.0-beta.474 are affected per CPE cpe:2.3:a:coollabsio:coolify. No public exploit code exists and the vulnerability is not listed in CISA KEV; with a CVSS score of 3.1 and availability-only impact, this represents a low-priority issue for most operators, especially given the authenticated access requirement.

3.1
CVSS
0.2%
EPSS
CVE-2026-42172 LOW PATCH

Sanctum API tokens in Coolify never expire prior to v4.0.0-beta.474, meaning any token that is leaked or stolen remains permanently valid until an administrator manually revokes it. This affects the self-hosted server, application, and database management platform across all versions below 4.0.0-beta.474. An attacker who obtains a valid API token via secondary means retains indefinite read access to the Coolify API without natural time-bounded expiry as a safeguard. No public exploit has been identified at time of analysis, and the low CVSS score of 3.1 reflects the constrained real-world impact.

3.1
CVSS
0.2%
EPSS

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy