CVE-2026-34057 in Coolifyinfo

Summary

by MITRE • 07/07/2026

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component (app/Livewire/Project/Database/Import.php) allows client-controlled container and server properties to reach shell commands without locking or validation, allowing an authenticated user to inject commands through a database import container name. This issue is fixed in version 4.0.0-beta.471.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability identified in Coolify versions prior to 4.0.0-beta.471 represents a critical command injection flaw within the database import functionality of this self-hostable management tool. The affected component app/Livewire/Project/Database/Import.php processes user-provided input during database import operations, creating a pathway for authenticated attackers to execute arbitrary shell commands on the underlying server. This vulnerability stems from insufficient input validation and sanitization mechanisms that fail to properly escape or filter container and server properties provided by clients during the import process.

The technical implementation of this flaw occurs within the Livewire component where user-controllable parameters are directly passed to shell execution functions without adequate security controls. When an authenticated user submits a database import request with maliciously crafted container names or server properties, these inputs bypass proper validation layers and are subsequently executed as shell commands. This represents a classic command injection vulnerability that allows attackers to leverage the application's privileges to execute unauthorized system-level operations.

From an operational perspective, this vulnerability poses significant risks to organizations using Coolify for server management. An authenticated attacker can potentially escalate their privileges beyond what is normally permitted within the application's access controls, gaining access to underlying server resources and executing arbitrary code with the privileges of the Coolify service account. The impact extends beyond simple code execution as attackers could potentially exfiltrate data, install backdoors, or disrupt services hosted on the same infrastructure. This vulnerability particularly affects environments where Coolify manages multiple applications or databases, as the attack surface expands with each managed resource.

The remediation implemented in version 4.0.0-beta.471 addresses this issue through proper input validation and sanitization mechanisms that prevent malicious payloads from reaching shell execution contexts. Organizations should immediately upgrade to this patched version or later releases to mitigate the risk of command injection attacks. Additional mitigations include implementing network-level restrictions, monitoring for unusual command execution patterns, and ensuring that only necessary users have access to database import functionality. This vulnerability aligns with CWE-78 which specifically addresses improper neutralization of special elements used in OS commands, and represents a clear violation of the principle of least privilege as outlined in the MITRE ATT&CK framework's command and control techniques.

Security teams should conduct thorough assessments of their Coolify deployments to ensure all instances have been updated to versions containing the fix. The vulnerability demonstrates the importance of input validation in web applications, particularly when dealing with components that interface with system-level operations. Organizations utilizing open-source tools like Coolify must maintain vigilant patch management practices and perform regular security assessments to identify and remediate similar vulnerabilities that could compromise their infrastructure's integrity and security posture.

Responsible

GitHub M

Reservation

03/25/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!