CVE-2026-42200
Received Received - Intake

PostgreSQL Path Traversal in Coolify

Vulnerability report for CVE-2026-42200, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL initialization script (generate_init_scripts() method in app/Actions/Database/StartPostgresql.php) filename handling did not sufficiently restrict paths, allowing an authenticated user to write files outside the intended directory and achieve command execution through database initialization. This issue is fixed in version 4.0.0-beta.474.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.474 (exc)
coollabsio coolify 4.0.0-beta.474

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated user to write arbitrary files to the host filesystem and achieve root-level remote code execution, leading to a complete server compromise.

Such a compromise can lead to unauthorized access, modification, or destruction of sensitive data, which may violate data protection requirements under common standards and regulations like GDPR and HIPAA.

Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to failure to protect the confidentiality, integrity, and availability of sensitive information.

Executive Summary

This vulnerability is a path traversal flaw in Coolify's PostgreSQL initialization script handling. It occurs because the filename handling in the generate_init_scripts() method does not properly restrict file paths, allowing an authenticated user to write files outside the intended directory.

By exploiting this, an attacker can write arbitrary files to the host filesystem, such as a malicious cron job in /etc/cron.d/, which leads to root-level remote code execution on the server. This means the attacker can fully compromise the server and all hosted applications.

The root cause is insufficient validation of user-controlled filenames, where directory traversal sequences like "../" are not blocked, allowing attackers to escape the intended directory.

This issue affects Coolify versions prior to 4.0.0-beta.474 and has been fixed by adding strict filename validation, using basename() to strip directory components, and improving path traversal checks.

Impact Analysis

This vulnerability can have severe impacts because it allows an authenticated user, even with low privileges, to execute arbitrary commands as root on the server.

An attacker can write malicious files such as cron jobs that run with root privileges, leading to full server compromise.

This means all applications and data hosted on the compromised server can be accessed, modified, or destroyed by the attacker.

The vulnerability has a high severity score of 8.8 (CVSS v3), reflecting its potential for complete loss of confidentiality, integrity, and availability.

Detection Guidance

This vulnerability can be detected by checking for unauthorized or suspicious files written outside the intended PostgreSQL initialization script directory, especially in sensitive locations like /etc/cron.d/ where malicious cron jobs could be placed.

You can look for unexpected cron jobs or files created by low-privileged users that could indicate exploitation attempts.

  • Use commands to find recently created or modified files in sensitive directories, for example:
  • find /etc/cron.d/ -type f -mtime -7 -ls
  • grep -r 'coolify' /var/log/ or other relevant log directories to detect suspicious activity related to Coolify.
  • Audit PostgreSQL initialization script directories for files with unexpected names or paths that include directory traversal sequences.

Since the vulnerability involves path traversal via filenames, monitoring or scanning for filenames containing '../' or other traversal patterns in the Coolify application data or database initialization scripts can help detect exploitation.

Mitigation Strategies

The immediate mitigation step is to upgrade Coolify to version 4.0.0-beta.474 or later, where the vulnerability has been fixed.

The fix includes strict validation of PostgreSQL initialization script filenames to prevent path traversal and command injection.

  • Apply the update that introduces the validateFilenameSafe() function to reject unsafe filenames containing directory separators, path traversal sequences, null bytes, and shell metacharacters.
  • Ensure that the application uses basename() to strip directory components from filenames and escapeshellarg() when constructing shell commands.

Additionally, review and remove any suspicious files or cron jobs that may have been created by exploiting this vulnerability.

If immediate upgrade is not possible, restrict access to the Coolify application to trusted users only and monitor for suspicious activity closely.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42200. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart