CVE-2026-12815
Received Received - Intake
OS Command Injection in Coolify

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: VulDB

Description
A vulnerability has been found in coollabsio coolify 4.0.0. Impacted is an unknown function of the component Image Name Handler. Such manipulation leads to os command injection. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way. The changelog for 4.1.2 mentions "[i]mproved image, branch, proxy, and deployment input validation".
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-12815
EUVD
EUVD-2026-38201
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
coollabsio coolify From 4.0.0 (inc) to 4.1.2 (exc)
coollabsio coolify From 4.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include avoiding the use of vulnerable Coolify versions (4.x) and upgrading to a version that includes improved input validation, such as 4.1.2 or later.

Specifically, ensure that Docker image references are validated against OCI grammar and reject any shell metacharacters or control characters in image names.

Avoid constructing shell commands from user input; instead, use argument-array process execution methods to prevent shell injection.

If upgrading is not immediately possible, restrict deployment permissions and isolate the Coolify deployment environment to limit potential impact.

Compliance Impact

The vulnerability allows remote OS command injection, potentially leading to unauthorized access and control over hosts, secrets, registries, and infrastructure. Such unauthorized access and potential data compromise could negatively impact compliance with standards like GDPR and HIPAA, which require protection of sensitive data and secure system operations.

However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.

Executive Summary

CVE-2026-12815 is a critical OS command injection vulnerability found in Coolify's Docker image reference fields during deployment. The vulnerability occurs because Coolify constructs shell commands directly from user-provided Docker image references. This allows attackers to insert shell metacharacters that break out of the intended command context and execute arbitrary code on the system.

The issue affects Coolify version 4.x and involves improper input validation of image names, which leads to the possibility of remote code execution with the privileges of Coolify's deployment worker or server.

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to execute arbitrary OS commands remotely on the affected system. Exploiting this flaw can lead to full compromise of the host running Coolify, including access to secrets, container registries, and the underlying infrastructure.

Attackers can leverage this to gain unauthorized control, disrupt services, steal sensitive information, or use the compromised system as a pivot point for further attacks.

Detection Guidance

This vulnerability involves OS command injection through Docker image reference fields during deployment in Coolify. Detection can focus on monitoring deployment commands or logs for suspicious shell metacharacters or unusual command executions originating from image references.

You can inspect running Coolify deployment processes or logs for injected shell metacharacters such as ;, &, |, $, `, or other control characters in Docker image references.

Suggested commands include:

  • Use process monitoring tools like `ps aux | grep coolify` to check for suspicious command lines.
  • Check deployment logs for unusual image reference strings containing shell metacharacters: `grep -E '[;&|$`]' /path/to/coolify/logs/deployment.log`
  • Use network monitoring tools to detect unusual outbound connections or commands triggered by deployments.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12815. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart