CVE-2026-59734
Received Received - Intake

Command Injection in Coolify Prior to 4.0.0-beta.469

Vulnerability report for CVE-2026-59734, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, Coolify's app/Jobs/ApplicationDeploymentJob.php generate_healthcheck_commands() function directly interpolated the health_check_host, health_check_method, and health_check_path parameters into shell commands without proper sanitization, allowing authenticated users to execute arbitrary commands inside deployment containers. This issue is fixed in version 4.0.0-beta.469.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.460 (exc)
coollabsio coolify 4.0.0-beta.469

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated users to execute arbitrary commands inside deployment containers, leading to potential remote code execution (RCE). Such unauthorized access and control can result in data theft, container escape, supply chain attacks, or denial of service.

Given these risks, the vulnerability could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and systems from unauthorized access and breaches.

Failure to address this vulnerability before the patch (version 4.0.0-beta.469) could lead to violations of these regulations due to compromised confidentiality, integrity, and availability of data and services.

Executive Summary

This vulnerability is a critical OS command injection issue in Coolify, an open-source tool for managing servers, applications, and databases. The problem exists in the generate_healthcheck_commands() function of the ApplicationDeploymentJob.php file, where user-supplied parameters (health_check_host, health_check_method, and health_check_path) are directly inserted into shell commands without proper sanitization.

Because these parameters are not properly sanitized, an authenticated user can inject malicious shell commands using special characters like ;, |, $(), or `. This allows the attacker to execute arbitrary commands inside deployment containers.

The vulnerability can be exploited through the web UI or API endpoint PATCH /api/v1/applications/{uuid} by setting malicious values for the health check parameters. It affects versions up to 4.0.0-beta.460 and was fixed in version 4.0.0-beta.469.

Impact Analysis

This vulnerability allows authenticated users to execute arbitrary commands inside deployment containers, leading to remote code execution (RCE).

  • Attackers can steal sensitive data from the containers.
  • They may escape the container environment, potentially compromising the host system.
  • It can be used to perform supply chain attacks by injecting malicious code into deployed applications.
  • The vulnerability can cause denial of service by disrupting container operations.
Detection Guidance

This vulnerability can be detected by checking if your Coolify installation is running a vulnerable version (prior to 4.0.0-beta.469). Specifically, the issue exists in the generate_healthcheck_commands() function in app/Jobs/ApplicationDeploymentJob.php where user-controlled parameters are unsafely interpolated into shell commands.

To detect potential exploitation attempts, you can monitor for unusual or suspicious shell commands being executed inside deployment containers, especially those involving health check parameters.

Since the vulnerability involves command injection via health check parameters, you can audit the current health check configurations for suspicious characters such as ;, |, $(), or ` which are commonly used to inject commands.

  • Check the version of Coolify: `coolify --version` or check the deployment version to ensure it is >= 4.0.0-beta.469.
  • Search for suspicious health check parameters in your application configurations or database: e.g., grep or query for health_check_host, health_check_method, health_check_path containing shell metacharacters.
  • Monitor container logs for unexpected command executions or errors related to health checks.
Mitigation Strategies

The immediate and most effective mitigation step is to upgrade Coolify to version 4.0.0-beta.469 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, restrict access to the Coolify web UI and API endpoints to trusted users only, as exploitation requires authenticated access.

Audit and sanitize any health check parameters (health_check_host, health_check_method, health_check_path) currently configured to ensure they do not contain shell metacharacters or malicious input.

Monitor deployment containers for suspicious activity or unexpected command executions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59734. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart