CVE-2026-34035
Received Received - Intake

Command Injection in Coolify Prior to 4.0.0-beta.466

Vulnerability report for CVE-2026-34035, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, log drain secret and environment values were interpolated into shell commands without sufficient encoding, allowing an authenticated user to inject commands executed on the host. This issue is fixed in version 4.0.0-beta.466.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.466 (exc)
coollabsio coolify 4.0.0-beta.466

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-34035 is a critical Remote Code Execution (RCE) vulnerability in Coolify, an open-source self-hosted platform for managing servers and applications. The issue exists in versions prior to 4.0.0-beta.466 and arises because log drain secret and environment values are interpolated directly into shell commands without proper encoding or escaping.

This improper handling allows an authenticated user to inject malicious shell commands through fields like the Axiom API Key. When these commands are executed on the host, it can lead to arbitrary command execution. For example, an attacker could inject a payload that runs system commands such as `id` and writes output to files on the server.

The root cause is the lack of neutralization of special shell characters in environment variables used in shell commands, leading to command injection (CWE-78). The vulnerability is fixed in version 4.0.0-beta.466 by encoding environment variables safely and validating input.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker with low privileges and authentication to execute arbitrary commands on the host system running Coolify.

  • Full host compromise due to arbitrary command execution.
  • Loss of confidentiality, as attackers can access sensitive data on the server.
  • Loss of integrity, since attackers can modify files or configurations.
  • Loss of availability, as attackers could disrupt services or delete critical data.

Because the attack vector is network-based, requires low complexity, and no user interaction, it poses a high risk to affected systems.

Detection Guidance

This vulnerability can be detected by checking if your Coolify installation is running a version prior to 4.0.0-beta.466, as those versions are vulnerable to command injection via the Log Drain feature.

To detect exploitation attempts or presence of injected commands, you can look for suspicious files or outputs created by injected commands, such as the example payload that writes the output of the `id` command to `/tmp/coolify_poc_logdrain`.

Suggested commands to detect potential exploitation include:

  • Check for the presence of suspicious files created by command injection payloads, e.g., `ls -l /tmp/coolify_poc_logdrain`
  • View contents of suspicious files to confirm command execution, e.g., `cat /tmp/coolify_poc_logdrain`
  • Search logs for suspicious command injection patterns or shell metacharacters in Log Drain configuration fields.
  • Audit the version of Coolify installed by running `coolify --version` or checking the deployment metadata to confirm if it is older than 4.0.0-beta.466.
Mitigation Strategies

The immediate and most effective mitigation step is to upgrade Coolify to version 4.0.0-beta.466 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, avoid using the Log Drain feature or restrict access to it to trusted users only, as the vulnerability requires authenticated user access.

Additional mitigation includes:

  • Avoid shell-based environment variable writing in your configuration.
  • Implement strict validation and escaping of secret fields before they are used in any shell command context.
  • Use safe file APIs or base64-encoded static payloads for environment variables instead of direct shell interpolation.
Compliance Impact

The vulnerability in Coolify allows authenticated users to execute arbitrary commands on the host system due to improper handling of environment variables in shell commands. This can lead to full host compromise, impacting confidentiality, integrity, and availability of data.

Such a compromise could potentially lead to unauthorized access or disclosure of sensitive data, which may violate compliance requirements under standards like GDPR or HIPAA that mandate protection of personal and health information.

However, the provided information does not explicitly discuss the direct impact on compliance with these standards or any regulatory frameworks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34035. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart