CVE-2026-27955
Received Received - Intake

Command Injection in Coolify Prior to 4.0.0-beta.464

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the executeInDocker() helper wraps commands in bash -c '{$command}' without escaping single quotes. User-controlled docker_compose_custom_build_command and docker_compose_custom_start_command fields are interpolated directly, allowing a single quote to break out of the bash -c argument and execute commands on the managed server host (outside the intended Docker container context). This vulnerability is fixed in 4.0.0-beta.464.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-27955
EUVD
EUVD-2026-40332

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.464 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-27955 is a command injection vulnerability in the Coolify application, specifically in the executeInDocker() helper function.

The vulnerability occurs because the function wraps commands in bash -c '{$command}' without properly escaping single quotes in user-controlled fields such as docker_compose_custom_build_command and docker_compose_custom_start_command.

This improper escaping allows an attacker to break out of the intended Docker container context and execute arbitrary commands on the managed server host.

Exploitation requires high privileges, including API write access and application update authorization.

The vulnerability bypasses container isolation, enabling commands to run directly on the host system.

Impact Analysis

This vulnerability can allow an attacker with sufficient privileges to execute arbitrary commands on the managed server host outside of the Docker container.

Such command execution on the host can lead to unauthorized access, data compromise, service disruption, or further system compromise.

Because the vulnerability bypasses container isolation, it increases the risk of severe impact despite existing access controls.

Mitigation Strategies

To mitigate this vulnerability, upgrade Coolify to version 4.0.0-beta.464 or later, where the executeInDocker() helper function properly escapes single quotes in user-controlled fields.

If upgrading immediately is not possible, ensure that user-controlled fields such as docker_compose_custom_build_command and docker_compose_custom_start_command are not set with untrusted input, as these fields are directly interpolated and can lead to command injection.

The root cause is improper escaping of single quotes in commands wrapped by bash -c, so applying proper escaping at the source code level or at all call sites is recommended to prevent exploitation.

Detection Guidance

This vulnerability involves command injection through user-controlled fields in the Coolify application, specifically in the executeInDocker() helper function. Detection would focus on identifying unusual or unauthorized commands executed on the managed server host outside the Docker container context.

Since the vulnerability requires high privileges and API write access to inject malicious commands, monitoring API usage and changes to the docker_compose_custom_build_command and docker_compose_custom_start_command fields can help detect exploitation attempts.

Suggested commands to detect potential exploitation include:

  • Review recent changes or suspicious entries in the Coolify configuration related to docker_compose_custom_build_command and docker_compose_custom_start_command.
  • Check process execution logs on the host for commands executed via bash -c that include unescaped single quotes or unexpected command sequences.
  • Use commands like `ps aux | grep bash` or `ps aux | grep docker` to identify suspicious bash processes spawned by Coolify.
  • Audit API logs for unauthorized or unusual write requests to the Coolify API that modify build or start commands.
  • If possible, enable command auditing on the host system (e.g., using auditd) to log execution of commands that could indicate exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27955. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart