CVE-2026-34149 in coolifyinfo

Summary

by MITRE • 07/07/2026

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, DatabaseBackupJob interpolates user-controlled database credentials and MongoDB collection exclusion names into backup shell commands without adequate escaping, allowing an authenticated user with database management permissions to execute commands on managed servers. This issue is fixed in version 4.0.0-beta.471.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability identified in Coolify versions prior to 4.0.0-beta.471 represents a critical command injection flaw that exploits improper input handling within the DatabaseBackupJob functionality. This issue stems from inadequate sanitization of user-controlled data when constructing shell commands for database backup operations, creating an environment where authenticated users can manipulate system execution through carefully crafted inputs.

The technical implementation of this vulnerability occurs within the DatabaseBackupJob component where database credentials and MongoDB collection exclusion names are directly interpolated into shell command strings without proper escaping or validation. When a user with database management permissions submits backup configuration parameters, these inputs are concatenated directly into system commands without sanitization, enabling arbitrary command execution capabilities. The flaw specifically manifests when user-supplied data containing special shell characters or sequences is processed, allowing attackers to inject malicious commands that execute with the privileges of the Coolify service account.

This vulnerability presents significant operational impact as it transforms a legitimate administrative function into a potential attack vector for privilege escalation and system compromise. An authenticated attacker can leverage this flaw to execute arbitrary commands on managed servers, potentially gaining access to sensitive data, modifying system configurations, or establishing persistent access points. The severity is amplified by the fact that the vulnerability requires only database management permissions, which may be granted to less privileged users in certain deployment scenarios.

The vulnerability maps directly to CWE-78 and CWE-94 within the Common Weakness Enumeration framework, specifically addressing improper neutralization of special elements used in OS commands and code injection vulnerabilities. From an adversarial perspective, this flaw aligns with ATT&CK technique T1059.001 for command and scripting interpreter, enabling attackers to execute arbitrary code through shell command injection. The attack surface is particularly concerning given that Coolify operates as a server management platform where database credentials are frequently handled and system-level operations are performed.

Mitigation strategies should prioritize immediate deployment of version 4.0.0-beta.471 which implements proper input sanitization and escaping mechanisms for all user-controlled parameters. Organizations should also implement additional controls including strict input validation, least privilege access models, and monitoring of backup job execution logs for anomalous command patterns. Regular security assessments of similar components within the application stack are recommended to identify potential injection points that may require similar remediation approaches.

Responsible

GitHub M

Reservation

03/25/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!