CVE-2026-34597

Received Received - Intake

Authenticated RCE in Coolify via Nixpacks Build Parameters

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution (RCE) vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for the Nixpacks build pack. Specifically, the install_command provided by a user is directly concatenated into a shell command string that is executed on the deployment host during the building phase. An attacker can leverage this to escape the intended build context and execute arbitrary commands with host-level privileges. This vulnerability is fixed in 4.0.0-beta.470.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-29

Last Modified

2026-06-29

Generated

2026-06-30

AI Q&A

2026-06-30

EPSS Evaluated

N/A

NVD

CVE-2026-34597

Affected Vendors & Products

Vendor	Product	Version / Range
coolify	coolify	to 4.0.0-beta.470 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-78	The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

This vulnerability exists in Coolify, an open-source tool for managing servers, applications, and databases. Before version 4.0.0-beta.470, there was a critical security flaw in how Coolify handled user-defined build parameters for the Nixpacks build pack.

Specifically, the install_command provided by a user was directly concatenated into a shell command string that runs on the deployment host during the build phase. Because of this, an attacker could manipulate the install_command to escape the intended build context and execute arbitrary commands on the host with elevated privileges.

This type of vulnerability is known as an Authenticated Host Remote Code Execution (RCE) vulnerability and was fixed in version 4.0.0-beta.470.

Impact Analysis

This vulnerability allows an attacker with authenticated access to execute arbitrary commands on the deployment host with host-level privileges.

The impact includes potential full system compromise, unauthorized access to sensitive data, disruption of services, and the ability to install malware or create persistent backdoors.

Because the attacker can execute commands at the host level, the security and integrity of the entire system and any applications or data it manages are at risk.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Coolify to version 4.0.0-beta.470 or later, where the issue has been fixed.

Hi! I’m here to help you understand CVE-2026-34597. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70