CVE-2026-34057
Received Received - Intake

Command Injection in Coolify Prior to 4.0.0-beta.471

Vulnerability report for CVE-2026-34057, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component (app/Livewire/Project/Database/Import.php) allows client-controlled container and server properties to reach shell commands without locking or validation, allowing an authenticated user to inject commands through a database import container name. This issue is fixed in version 4.0.0-beta.471.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.471 (exc)
coollabsio coolify From 4.0.0-beta.470 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated users to execute arbitrary commands as root on managed servers, potentially leading to full server compromise, lateral movement across infrastructure, and exposure of sensitive data such as SSH keys and database credentials.

Such unauthorized access and data exposure can result in violations of common standards and regulations like GDPR and HIPAA, which require strict controls to protect sensitive personal and health information from unauthorized access and breaches.

Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to the risk of data breaches and insufficient access controls.

Executive Summary

This vulnerability exists in Coolify versions prior to 4.0.0-beta.471 in the database import Livewire component. It allows an authenticated user to inject arbitrary shell commands through the container name used during database import. This happens because the container name property is client-controllable and is directly interpolated into shell commands without proper locking or validation. Attackers can exploit this to execute commands on the server with elevated privileges.

Impact Analysis

This vulnerability can have severe impacts including remote code execution as root on managed servers. An attacker with team membership, even with low privileges, can execute arbitrary commands, potentially leading to full server compromise, lateral movement across infrastructure, and exposure of sensitive data such as SSH keys and database credentials.

Detection Guidance

Detection of this vulnerability involves monitoring for unusual or unauthorized Livewire wire protocol requests that modify the container property in the database import component. Since the vulnerability allows command injection via the container name, inspecting Livewire update requests for suspicious container names containing special characters like $(), `, ;, |, &&, spaces, or newlines can help identify exploitation attempts.

You can also check your Coolify version to see if it is vulnerable (versions prior to 4.0.0-beta.471 are affected).

Suggested commands to detect potential exploitation attempts or vulnerable versions include:

  • Check Coolify version: `coolify --version` or inspect the deployed version in your environment.
  • Monitor Livewire requests for suspicious container names by capturing and analyzing network traffic or application logs.
  • Search application logs for shell commands or docker commands containing suspicious container names or special characters.
Mitigation Strategies

The immediate mitigation steps are to upgrade Coolify to version 4.0.0-beta.471 or later, where the vulnerability is fixed.

The fix includes adding the #[Locked] attribute to sensitive properties like the container and serverId to prevent client-side modification, validating container names against a strict regex pattern to reject special characters, and scoping server lookups to the current team to prevent unauthorized server targeting.

Until you can upgrade, restrict access to the database import functionality to trusted users only, monitor for suspicious activity, and consider applying network-level controls to limit exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34057. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart