CVE-2026-34049 in Coolify
Summary
by MITRE • 07/06/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.451 through 4.0.0-beta.470, database backup handling for MongoDB collection names did not fully validate shell metacharacters, allowing a highly privileged attacker who can configure backup inputs to inject commands. This issue is fixed in version 4.0.0-beta.471.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability identified in Coolify versions 4.0.0-beta.451 through 4.0.0-beta.470 represents a critical command injection flaw in the database backup handling mechanism for MongoDB collections. This issue stems from insufficient validation of shell metacharacters during backup configuration processes, creating an avenue for malicious command execution. The vulnerability specifically affects the handling of database backup inputs where attacker-controlled data is not properly sanitized before being passed to shell commands. Organizations using these vulnerable versions face significant risk as a highly privileged attacker with the ability to configure backup inputs can exploit this weakness to execute arbitrary commands on the underlying system. The flaw demonstrates poor input validation practices and highlights the importance of proper sanitization when dealing with user-supplied data that interfaces with system commands. This vulnerability type maps directly to CWE-78, which defines improper neutralization of special elements used in OS commands, a well-established weakness in software security. The attack surface is particularly concerning given that backup configuration typically requires elevated privileges, making this an attractive target for attackers seeking to escalate their access within the system environment.
The technical implementation of this vulnerability occurs when Coolify processes MongoDB collection names during backup operations. The software fails to properly escape or sanitize special shell characters such as semicolons, pipes, and ampersands that could be used to chain commands or manipulate execution flow. When a privileged attacker configures backup inputs, they can craft malicious collection names containing these metacharacters to inject additional commands into the backup process. The system's reliance on shell execution for database operations without adequate parameter validation creates an environment where attacker-controlled input directly influences command execution. This design flaw aligns with ATT&CK technique T1059.001, which covers command and scripting interpreters, specifically targeting OS command injection vulnerabilities. The vulnerability's impact extends beyond simple command execution as it could potentially allow attackers to gain full system control, access sensitive data, or disrupt service availability. The limited scope of exploitation requires the attacker to already possess configuration privileges but represents a significant elevation of privileges within the application's security model.
The operational impact of this vulnerability is severe for organizations relying on Coolify for server management and database operations. A successful exploitation could result in complete system compromise, data exfiltration, or service disruption that affects multiple applications managed through the platform. The vulnerability's presence in beta versions suggests potential exposure across development environments and early adopters who may not have implemented proper security monitoring. Organizations using affected versions face increased risk of supply chain attacks if they are part of larger ecosystems where Coolify is integrated with other systems. The security implications extend to compliance requirements, as this vulnerability could lead to violations of data protection regulations such as gdpr or hipaa depending on the nature of the data being managed. The attack vector requires a privileged user account which limits the scope but does not eliminate the danger, as compromised accounts can lead to broader system compromise. System administrators should consider implementing network segmentation and monitoring for unusual command execution patterns that could indicate exploitation attempts.
Mitigation strategies for this vulnerability include immediate upgrade to Coolify version 4.0.0-beta.471 which contains the necessary fixes. Organizations should also implement comprehensive input validation measures for all backup configuration parameters, particularly those involving database collection names and other identifiers passed to system commands. The implementation of parameterized queries or command execution frameworks that prevent shell interpretation of user input would significantly reduce risk. Security monitoring should be enhanced to detect unusual command execution patterns, especially those involving database backup operations. Network-based detection measures can help identify potential exploitation attempts by monitoring for suspicious command sequences or unauthorized access to backup configuration interfaces. Regular security assessments and penetration testing should include validation of input sanitization mechanisms in all system components that interface with shell commands. The fix implemented in version 4.0.0-beta.471 likely includes proper escaping of special characters and improved validation of user inputs before shell command execution, addressing the root cause identified in CWE-78 classifications. Organizations should also consider implementing least privilege principles for backup configuration access to limit the potential impact of compromised accounts. Continuous security monitoring and vulnerability management processes are essential to prevent similar issues from emerging in future releases.