CVE-2026-34168
Received Received - Intake

Local Command Injection in Coolify via Persistent Volume Name

Vulnerability report for CVE-2026-34168, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the LocalPersistentVolume.name field is interpolated directly into docker volume shell commands without shell argument escaping, allowing an authenticated user to set a storage name containing shell metacharacters and execute commands on managed servers when the resource is deleted. This issue is fixed in version 4.0.0-beta.471.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.471 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-34168 is a command injection vulnerability in the Coolify application versions prior to 4.0.0-beta.471. It occurs because the LocalPersistentVolume.name field is directly inserted into Docker volume shell commands without proper escaping or sanitization.

An authenticated user can set a storage name containing shell metacharacters, which are then executed as commands on the managed server when the resource is deleted. This allows the attacker to run arbitrary shell commands with root privileges.

Impact Analysis

This vulnerability can lead to full system compromise on the managed servers running Coolify. An attacker with authentication can execute arbitrary commands with root privileges, potentially leading to unauthorized access, data theft, data corruption, or denial of service.

The impacts include loss of confidentiality, integrity, and availability of the affected systems.

Detection Guidance

This vulnerability can be detected by checking if your Coolify installation is running a version prior to 4.0.0-beta.471, as those versions are vulnerable to command injection via the LocalPersistentVolume.name field.

To detect exploitation attempts or presence of malicious storage names, you can audit the storage names used in your Coolify instance for suspicious shell metacharacters or command injection patterns.

There are no explicit detection commands provided in the resources, but you can manually query the Coolify API or database for storage names containing suspicious characters such as `$()`, `;`, `&`, or backticks.

For example, if you have shell access to the server, you might run commands to list Docker volumes and inspect their names:

  • docker volume ls
  • docker volume inspect <volume_name>

Additionally, reviewing logs or API requests for unusual storage creation or deletion requests with suspicious names could help detect exploitation attempts.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade Coolify to version 4.0.0-beta.471 or later, where this vulnerability is fixed.

The fix involves proper escaping of shell arguments using the escapeshellarg() function and adding validation patterns to the LocalPersistentVolume.name field to prevent injection of shell metacharacters.

If upgrading immediately is not possible, you should restrict authenticated users from creating or modifying storage names with shell metacharacters and review your access controls to limit who can create or delete storage resources.

Monitoring and auditing storage names for suspicious input and avoiding deletion of volumes with untrusted names until patched can also reduce risk.

Compliance Impact

This vulnerability allows authenticated users to execute arbitrary shell commands on managed servers with root privileges by exploiting improper sanitization of the LocalPersistentVolume.name field. Such unauthorized command execution can lead to full system compromise, impacting the confidentiality, integrity, and availability of data and systems.

Given the potential for full system compromise, this vulnerability could lead to violations of compliance requirements under common standards and regulations such as GDPR and HIPAA, which mandate strict controls over data confidentiality and system integrity.

Specifically, unauthorized access or manipulation of sensitive data due to this vulnerability could result in data breaches or loss of data integrity, thereby affecting compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34168. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart