CVE-2026-34158
Received Received - Intake

Command Injection in Coolify Prior to 4.0.0-beta.469

Vulnerability report for CVE-2026-34158, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, the executeInDocker() helper wraps user-controlled commands in single quotes without escaping embedded single quotes. Attackers who can edit application settings can inject a single quote into docker_compose_custom_build_command or docker_compose_custom_start_command to break out of the quoted context and execute arbitrary commands on the managed server host during deployments, escaping the intended Docker container confinement. This issue is fixed in version 4.0.0-beta.469.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.469 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-34158 is a critical command injection vulnerability in the Coolify application, specifically in Docker Compose custom commands.

The vulnerability arises because the executeInDocker() helper function wraps user-controlled commands in single quotes without properly escaping embedded single quotes.

Attackers who have the ability to edit application settings can inject a single quote into the docker_compose_custom_build_command or docker_compose_custom_start_command fields. This breaks out of the quoted context and allows execution of arbitrary commands on the managed server host during deployments.

This effectively bypasses the intended Docker container confinement, enabling full remote code execution on the host system with the privileges of the SSH user, which is typically root.

Impact Analysis

This vulnerability can have severe impacts including container escape and full host compromise.

  • Attackers can execute arbitrary commands on the host system with high privileges.
  • It enables lateral movement within the network.
  • There is a risk of data exfiltration.
  • It poses supply chain risks by compromising the deployment environment.
Detection Guidance

Detection of this vulnerability involves checking if the Coolify application is running a vulnerable version prior to 4.0.0-beta.469 and if the settings `docker_compose_custom_build_command` or `docker_compose_custom_start_command` contain unescaped single quotes that could allow command injection.

You can inspect the application settings for suspicious single quotes or unusual commands by querying the configuration files or database where these settings are stored.

Additionally, monitoring deployment logs for unexpected command executions or shell escapes during Docker Compose operations may help detect exploitation attempts.

  • Check the Coolify version: `coolify --version` or check the deployment environment to confirm the version is before 4.0.0-beta.469.
  • Search for single quotes in custom Docker Compose commands, for example, by querying the database or configuration files where `docker_compose_custom_build_command` or `docker_compose_custom_start_command` are stored.
  • Monitor logs for suspicious command execution during deployments, e.g., `journalctl -u coolify` or Docker daemon logs.
Mitigation Strategies

The immediate mitigation step is to upgrade Coolify to version 4.0.0-beta.469 or later, where the vulnerability is fixed by properly escaping single quotes in the `executeInDocker()` helper function.

If upgrading immediately is not possible, restrict access to the application settings to trusted users only, as attackers require the ability to edit application settings to exploit this vulnerability.

Implement input validation and sanitization on the `docker_compose_custom_build_command` and `docker_compose_custom_start_command` settings to prevent injection of single quotes or other malicious characters.

Re-enable or enforce authorization checks to limit who can modify these settings.

Monitor deployment activities closely for any signs of exploitation attempts.

Compliance Impact

This vulnerability allows attackers to execute arbitrary commands on the managed server host, potentially leading to full host compromise, lateral movement, and data exfiltration.

Such impacts can result in unauthorized access to sensitive data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and health information.

Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to data breaches and insufficient security controls.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34158. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart