CVE-2026-42201
Received Received - Intake

Command Injection Risk in Coolify Prior to 4.0.0-beta.474

Vulnerability report for CVE-2026-42201, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, database credential fields (redis_password, keydb_password, dragonfly_password, clickhouse_admin_user, clickhouse_admin_password, postgres_user, mysql_user) are validated only as 'string' at the API layer, with zero shell-safety checks. These values are then interpolated directly into Docker Compose YAML command: strings without any escaping. This issue is fixed in version 4.0.0-beta.474.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.474 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-42201 is an OS Command Injection vulnerability in Coolify versions 4.0.0-beta.473 and earlier. It affects database credential fields such as redis_password, keydb_password, dragonfly_password, clickhouse_admin_user, clickhouse_admin_password, postgres_user, and mysql_user. These fields are only validated as strings at the API layer without any shell-safety checks.

The vulnerability arises because these credential values are directly interpolated into Docker Compose YAML command strings without escaping. This allows shell metacharacters (like semicolons, backticks, and $()) to execute arbitrary commands inside database containers when Docker Compose runs them via /bin/sh -c.

For example, an attacker could set a Redis password to a value like "secret'; touch /tmp/pwned; echo 'x" which would execute the touch command on container startup.

The ClickHouse healthcheck is especially dangerous because it runs every 5 seconds, enabling persistent command execution. The root cause is insufficient validation in the API and direct string interpolation without escaping in the code.

Impact Analysis

This vulnerability can lead to arbitrary command execution inside database containers, which can compromise the confidentiality, integrity, and availability of data.

  • Confidentiality loss: Attackers can exfiltrate sensitive data stored in the database containers.
  • Integrity loss: Attackers can tamper with data by executing malicious commands.
  • Availability loss: Attackers can cause service crashes or disrupt database operations.

Although the impact is container-scoped, database containers often have elevated privileges or access to the Docker socket, which could allow container escape and broader system compromise.

Exploitation requires an authenticated team member to inject malicious commands into credential fields during database creation or configuration.

Detection Guidance

This vulnerability can be detected by checking for suspicious or malicious shell metacharacters in database credential fields such as redis_password, keydb_password, dragonfly_password, clickhouse_admin_user, clickhouse_admin_password, postgres_user, and mysql_user. Since these fields are interpolated directly into Docker Compose YAML commands without escaping, any injected shell commands could be detected by monitoring container startup logs or by inspecting the Docker Compose YAML files for unescaped special characters.

You can also look for unusual file creations or command executions inside database containers, for example, by checking for unexpected files like /tmp/pwned created by injected commands.

Suggested commands to detect exploitation attempts include:

  • Inspect Docker container logs for suspicious command execution: docker logs <container_id>
  • Search for suspicious files inside database containers: docker exec -it <container_id> ls /tmp
  • Check Docker Compose YAML files for unescaped shell metacharacters in credential fields.
  • Monitor network traffic for unusual activity originating from database containers.
Mitigation Strategies

Immediate mitigation steps include upgrading Coolify to version 4.0.0-beta.474 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, avoid using shell metacharacters in database credential fields and validate or sanitize these inputs to prevent injection.

Additional recommended mitigations are:

  • Use YAML array syntax for commands to bypass shell parsing.
  • Apply strict validation rules with regex to block shell metacharacters in credential fields.
  • Implement escaping functions such as escapeshellarg() at points where credentials are interpolated into commands.

Ensure only authenticated and trusted team members have access to configure database credentials to reduce the risk of exploitation.

Compliance Impact

The vulnerability allows authenticated team members to inject arbitrary commands into database credential fields, leading to potential data exfiltration, data tampering, and service disruption within database containers.

Since database containers often hold sensitive data and may have elevated privileges or access to the Docker socket, exploitation could result in confidentiality, integrity, and availability losses of sensitive information.

Such impacts could compromise compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access, alteration, and availability disruptions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42201. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart