CVE-2026-42143
Received Received - Intake

Command Injection in Coolify Prior to 4.0.0-beta.471

Vulnerability report for CVE-2026-42143, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell commands executed on managed servers without escaping or validation, allowing an authenticated member to inject shell metacharacters and execute commands as root when volume operations are triggered. This issue appears to be fixed in version 4.0.0-beta.471.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.471 (exc)
coollabsio coolify From 4.0.0-beta.473 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated users to execute arbitrary commands as root on managed servers, leading to potential privilege escalation, server compromise, secret exfiltration, and lateral movement.

Such unauthorized access and control over servers can result in exposure or theft of sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA.

Therefore, the vulnerability poses significant risks to compliance with these regulations by undermining the confidentiality, integrity, and availability of protected data.

Executive Summary

CVE-2026-42143 is an OS command injection vulnerability in Coolify versions 4.0.0-beta.473 and earlier. It occurs because user-controlled persistent volume names are directly inserted into shell commands executed on managed servers without proper escaping or validation.

This allows an authenticated user, even with low privileges, to inject malicious shell metacharacters into volume names. When volume operations like deletion or cloning are triggered, these injected commands execute as root, leading to full root-level control over the managed servers.

The vulnerability exists in multiple places in the codebase where volume names are used in shell commands without sanitization. The fix involves strict input validation and proper escaping of volume names.

Impact Analysis

This vulnerability can have severe impacts including privilege escalation to root, full server compromise, container escape, and exfiltration of secrets.

  • Privilege escalation allowing attackers to gain root access.
  • Compromise of managed servers leading to unauthorized control.
  • Escape from container environments, increasing attack surface.
  • Exfiltration of sensitive secrets stored on the servers.
  • Lateral movement within the network to compromise additional systems.
  • Supply chain risks due to compromised server integrity.
Detection Guidance

Detection of this vulnerability involves identifying if any user-controlled persistent volume names contain shell metacharacters that could be injected into shell commands executed on managed servers.

You can audit volume names for suspicious characters such as semicolons, ampersands, or other shell metacharacters that may be used for command injection.

Additionally, monitoring SSH command executions triggered by volume operations for unexpected or unauthorized commands can help detect exploitation attempts.

  • Check volume names for unsafe characters using commands like: grep -E '[;|&`$()]' /path/to/volume/names
  • Review logs of volume operations and SSH command executions for anomalies.
Mitigation Strategies

Immediate mitigation involves upgrading Coolify to version 4.0.0-beta.471 or later where the vulnerability is fixed.

If upgrading is not immediately possible, restrict authenticated user permissions to prevent unauthorized volume operations.

Implement strict input validation to allow only alphanumeric characters, dots, underscores, and hyphens in persistent volume names.

Ensure proper escaping of volume names in any shell commands executed on managed servers to prevent command injection.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42143. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart