CVE-2026-34152
Received Received - Intake

Remote Code Execution in Coolify Prior to 4.0.0-beta.471

Vulnerability report for CVE-2026-34152, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, pre-deployment and post-deployment commands are single-quote escaped but then sent through SSH heredoc transport that preserves newlines, allowing an authenticated user to inject additional shell statements that execute on the remote server during deployment. This issue is fixed in version 4.0.0-beta.471.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.471 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-34152 is a command injection vulnerability in Coolify versions prior to 4.0.0-beta.471. The issue occurs because pre-deployment and post-deployment commands, although single-quote escaped, are sent through SSH heredoc transport that preserves newline characters. This allows an authenticated user with application configuration permissions to inject additional shell commands by including newline characters in these commands. The remote server interprets these newlines as separate commands, enabling arbitrary command execution during deployment.

Impact Analysis

This vulnerability can lead to arbitrary command execution on the remote server during deployment. An attacker with the ability to configure the application can inject malicious shell commands, potentially leading to full host takeover if the container is privileged. The impact includes high confidentiality, integrity, and availability risks, as attackers can execute commands that compromise the system, steal data, or disrupt services.

Detection Guidance

This vulnerability involves injection of additional shell commands via newlines in pre-deployment and post-deployment commands sent over SSH heredoc transport. Detection can focus on identifying unusual or suspicious multi-line commands or payloads containing newline characters in deployment configurations.

You can audit the deployment command configurations for the presence of newline characters or shell metacharacters that could be used for injection.

  • Check deployment command fields for newline characters using commands like: grep -P '\n' or grep -P '\r' in configuration files or database entries.
  • Monitor SSH sessions or logs for unexpected command sequences or multiple commands executed during deployment.
  • Use network monitoring tools to detect unusual SSH heredoc payloads containing newline characters that could indicate injection attempts.
Mitigation Strategies

The primary mitigation is to upgrade Coolify to version 4.0.0-beta.471 or later, where the vulnerability is fixed by normalizing whitespace and removing newline characters from pre-deployment and post-deployment commands before execution.

If immediate upgrade is not possible, restrict permissions to prevent unauthorized users from modifying deployment commands, as exploitation requires authenticated users with configuration access.

Additionally, implement input validation to disallow newline characters and shell metacharacters in deployment command inputs.

Consider hardening the SSH transport layer and monitoring deployment logs for suspicious command injection attempts.

Compliance Impact

This vulnerability allows an authenticated user with application configuration permissions to inject arbitrary commands on the remote server during deployment, potentially leading to host takeover if the container is privileged.

Such unauthorized command execution can compromise the confidentiality, integrity, and availability of data and systems managed by Coolify.

Because of the high impact on confidentiality and integrity, this vulnerability could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34152. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart