CVE-2026-34058
Received Received - Intake

Remote Code Execution in Coolify via Unsanitized Container ID

Vulnerability report for CVE-2026-34058, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Livewire component Server\Resources exposes public methods (startUnmanaged, stopUnmanaged, restartUnmanaged) that accept a container ID parameter directly from the browser without any sanitization or escaping. This parameter is interpolated directly into shell commands executed via SSH on managed servers, enabling any authenticated team member to execute arbitrary OS commands on remote servers. This issue is fixed in version 4.0.0-beta.471.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.471 (exc)
coollabsio coolify 4.0.0-beta.471

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-34058 allows authenticated team members to execute arbitrary OS commands on remote servers managed by Coolify. This can lead to unauthorized access, data exfiltration, deployment of backdoors, and destruction or modification of infrastructure and applications.

Such unauthorized access and potential data breaches could violate compliance requirements under standards like GDPR and HIPAA, which mandate strict controls over data confidentiality, integrity, and availability.

Specifically, the vulnerability's impact on confidentiality, integrity, and availability (all rated high in the CVSS score) means that organizations using affected versions of Coolify may face compliance risks if sensitive personal or health data is exposed or compromised due to exploitation of this flaw.

Executive Summary

CVE-2026-34058 is a critical OS command injection vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The vulnerability exists in the Livewire component Server\Resources, which exposes public methods (startUnmanaged, stopUnmanaged, restartUnmanaged) that accept a container ID parameter directly from the browser without any sanitization or escaping.

This container ID parameter is directly interpolated into shell commands executed via SSH on managed servers. Because of this lack of input validation, any authenticated team member can inject arbitrary OS commands on remote servers, leading to remote code execution.

The issue was fixed by adding input validation to ensure container IDs are properly formatted and by escaping shell arguments to prevent command injection.

Impact Analysis

This vulnerability allows any authenticated team member to execute arbitrary operating system commands on remote servers managed by Coolify. This can lead to severe impacts including:

  • Remote code execution on managed servers.
  • Exfiltration of sensitive data.
  • Deployment of backdoors or malware.
  • Pivoting to other servers within the infrastructure.
  • Destruction or modification of infrastructure and deployed applications.
Detection Guidance

This vulnerability involves command injection via container ID parameters passed to shell commands without sanitization. Detection can focus on monitoring for unusual or unauthorized shell command executions related to Docker container management, especially commands like "docker stop", "docker start", or "docker restart" with suspicious container IDs.

One approach is to inspect Livewire AJAX requests to the Server\Resources component for container ID parameters containing suspicious characters such as semicolons, pipes, or command substitutions that could indicate an injection attempt.

On the system, you can audit shell command logs or SSH command executions for unexpected or malformed container IDs.

Specific commands to detect exploitation attempts might include:

  • Using shell history or audit logs to search for Docker commands with suspicious container IDs, e.g., `grep -E 'docker (stop|start|restart) .*;|\||` ~/.bash_history`
  • Monitoring network traffic for Livewire AJAX requests containing container ID parameters with injection characters.
  • Using intrusion detection systems (IDS) or web application firewalls (WAF) to flag requests with suspicious container ID inputs.
Mitigation Strategies

The primary mitigation is to upgrade Coolify to version 4.0.0-beta.471 or later, where input validation and shell argument escaping have been implemented to prevent command injection.

If immediate upgrade is not possible, restrict access to the affected Livewire component methods (`startUnmanaged`, `stopUnmanaged`, `restartUnmanaged`) to trusted users only, as the vulnerability requires authenticated access.

Implement network-level controls to limit access to the Coolify management interface.

Monitor logs for suspicious container ID inputs and shell command executions as a temporary detection measure.

Apply input validation and escaping in custom patches if feasible, following the patterns described in the fix: validating container IDs against allowed patterns and using shell argument escaping functions like `escapeshellarg()`.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34058. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart