CVE-2026-34034
Received Received - Intake

Remote Code Execution in Coolify via Sentinel Token Injection

Vulnerability report for CVE-2026-34034, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the sentinel_token setting is used in shell commands without sufficient validation, allowing an authenticated user with access to server Sentinel settings to inject shell syntax and execute commands on the host when Sentinel is restarted. This issue is fixed in version 4.0.0-beta.466.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.466 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-34034 is a critical Remote Code Execution (RCE) vulnerability in Coolify, an open-source self-hosted platform for managing servers and applications. The issue arises because the sentinel_token setting is used in shell commands without proper validation, allowing an authenticated user with access to Sentinel settings to inject malicious shell syntax. This injection leads to arbitrary command execution on the host system when the Sentinel service restarts.

The vulnerability exists in versions prior to 4.0.0-beta.466 and is caused by improper handling of user-controlled input in shell command contexts, specifically in files like StartSentinel.php, HasMetrics.php, Sentinel.php, and ServerSetting.php.

Compliance Impact

CVE-2026-34034 is a critical remote code execution vulnerability that allows an authenticated user to execute arbitrary commands on the host system. This can lead to unauthorized access, data breaches, and system compromise.

Such a vulnerability can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data, maintaining confidentiality, integrity, and availability of systems.

Exploitation of this vulnerability could result in unauthorized data access or modification, potentially leading to violations of data protection requirements and regulatory obligations.

Impact Analysis

This vulnerability allows an attacker with low privileges and authenticated access to execute arbitrary commands on the host system remotely without user interaction. This can lead to full compromise of the server running Coolify.

  • Execution of malicious commands on the host system.
  • Potential unauthorized access to sensitive data (confidentiality impact).
  • Modification or destruction of data and system resources (integrity and availability impact).
  • Complete takeover of the affected server, leading to further attacks or disruption.
Detection Guidance

This vulnerability can be detected by checking if the Sentinel token setting contains suspicious shell metacharacters or payloads that could lead to command injection.

One way to detect exploitation attempts is to look for unusual commands executed on the host, such as creation of unexpected files like /tmp/coolify_poc_sentinel.

You can inspect the current Sentinel token value for unsafe characters or patterns by querying the server settings or configuration files where the token is stored.

  • Use grep or similar tools to search for suspicious tokens containing shell metacharacters (e.g., quotes, semicolons, backticks) in configuration files or logs.
  • Monitor system logs for commands executed by the Sentinel service, especially around service restarts.
  • Example command to check for suspicious token patterns in configuration files: grep -E '[";`$]' /path/to/coolify/config
  • Check for unexpected files created by exploitation attempts, e.g., ls -l /tmp/coolify_poc_sentinel
Mitigation Strategies

The immediate mitigation step is to upgrade Coolify to version 4.0.0-beta.466 or later, where the vulnerability is fixed.

The fix includes strict validation of the Sentinel token to allow only safe characters and improved shell argument escaping to prevent command injection.

Until the upgrade can be performed, restrict access to the Sentinel token settings to trusted users only, as exploitation requires authenticated access.

Avoid restarting the Sentinel service if the token value is untrusted or unknown.

Review and audit current Sentinel token values and reset them to safe values containing only alphanumeric characters and allowed symbols (dots, hyphens, underscores, plus, forward slash, equals).

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34034. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart