CVE-2026-34034 in Coolifyinfo

Summary

by MITRE • 07/07/2026

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the sentinel_token setting is used in shell commands without sufficient validation, allowing an authenticated user with access to server Sentinel settings to inject shell syntax and execute commands on the host when Sentinel is restarted. This issue is fixed in version 4.0.0-beta.466.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability in Coolify affects versions prior to 4.0.0-beta.466 where the sentinel_token setting undergoes insufficient validation during shell command execution. This represents a critical security flaw that enables authenticated users with access to server Sentinel configurations to perform command injection attacks. The issue stems from improper input sanitization of the sentinel_token parameter, which is directly incorporated into shell commands without adequate filtering or escaping mechanisms. When Sentinel is restarted, these unvalidated tokens are processed through shell execution contexts, creating an opportunity for malicious command injection.

This vulnerability falls under the CWE-78 category of Command Injection, specifically targeting Unix shell command execution where user-controllable data is concatenated into shell commands without proper sanitization. The attack vector requires an authenticated user with sufficient privileges to modify server Sentinel settings, which aligns with privilege escalation and lateral movement techniques documented in the MITRE ATT&CK framework under T1068 and T1543. The impact extends beyond simple command execution as it allows attackers to potentially gain full control over the host system, execute arbitrary code, and access sensitive data stored within the environment.

The operational implications of this vulnerability are severe for organizations using Coolify as their self-hosted management platform. An attacker with access to Sentinel settings could execute commands such as creating backdoors, exfiltrating data, modifying system configurations, or establishing persistent access to the host server. The fact that the injection occurs during Sentinel restart provides a window of opportunity that may not be immediately detectable, potentially allowing attackers to maintain access undetected for extended periods. This issue represents a classic case of insufficient input validation leading to remote code execution in a self-hosted environment where system integrity is paramount.

Organizations should immediately upgrade to Coolify version 4.0.0-beta.466 or later to remediate this vulnerability. Additionally, administrators should implement network segmentation and access controls to limit who can modify Sentinel settings within the Coolify platform. Regular security audits of configuration management processes should be conducted to ensure that only authorized personnel have access to critical system parameters. Input validation mechanisms should be strengthened to sanitize all user-controllable data before processing in shell contexts, following established security best practices for preventing command injection attacks. System monitoring should be enhanced to detect unusual restart patterns or command execution activities that might indicate exploitation attempts.

Responsible

GitHub M

Reservation

03/25/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!