CVE-2026-34058 in Coolifyinfo

Summary

by MITRE • 07/07/2026

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Livewire component Server\Resources exposes public methods (startUnmanaged, stopUnmanaged, restartUnmanaged) that accept a container ID parameter directly from the browser without any sanitization or escaping. This parameter is interpolated directly into shell commands executed via SSH on managed servers, enabling any authenticated team member to execute arbitrary OS commands on remote servers. This issue is fixed in version 4.0.0-beta.471.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/07/2026

This vulnerability exists within Coolify's Livewire component Server\Resources which exposes three public methods startUnmanaged stopUnmanaged and restartUnmanaged that directly accept container ID parameters from browser requests without proper input validation or sanitization. The flaw represents a classic command injection vulnerability where user-supplied data is interpolated directly into shell commands executed via SSH on remote servers. According to CWE-78 this weakness occurs when a program constructs a string used to execute an operating system command but fails to properly escape or sanitize the input data, allowing attackers to inject malicious commands that get executed with the privileges of the affected application.

The security impact is severe as any authenticated team member can exploit this vulnerability to execute arbitrary operating system commands on managed servers. This creates a privilege escalation scenario where users who should only have access to manage applications and resources gain the ability to perform system-level operations including but not limited to file manipulation process management data exfiltration and potentially full system compromise. The vulnerability is particularly dangerous because it operates at the server level through SSH connections rather than just web application boundaries, making it a critical escalation point in any security architecture.

The technical implementation of this flaw demonstrates poor input validation practices where user-controllable parameters flow directly into command execution contexts without proper sanitization or escaping mechanisms. This pattern violates fundamental security principles and aligns with ATT&CK technique T1059.001 for command and scripting interpreter usage. The vulnerability affects the entire Coolify ecosystem since it enables attackers to manipulate any server that uses the affected Livewire component, potentially compromising multiple managed services and applications across different environments.

Organizations using Coolify versions prior to 4.0.0-beta.471 should immediately implement mitigations including restricting access to team members who require administrative privileges only, implementing network segmentation to limit SSH access from web servers, and monitoring for unusual command execution patterns on managed servers. The fix in version 4.0.0-beta.471 addresses this by properly sanitizing and validating container ID parameters before they are used in shell command construction, thereby preventing the injection of malicious payloads through user input. Additionally system administrators should perform comprehensive security audits of all server components to identify similar vulnerabilities that may exist in other parts of their infrastructure.

The vulnerability highlights the importance of following secure coding practices particularly when dealing with user-supplied data that will be used in system-level operations. It serves as a reminder that even seemingly benign parameters can become dangerous when not properly validated and that SSH-based command execution requires especially careful input handling to prevent privilege escalation attacks. Organizations should implement regular security testing including penetration testing and vulnerability scanning to identify similar injection vulnerabilities across their application stack and ensure proper input validation is implemented throughout all system components.

Responsible

GitHub M

Reservation

03/25/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!