CVE-2026-34152 in Coolifyinfo

Summary

by MITRE • 07/07/2026

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, pre-deployment and post-deployment commands are single-quote escaped but then sent through SSH heredoc transport that preserves newlines, allowing an authenticated user to inject additional shell statements that execute on the remote server during deployment. This issue is fixed in version 4.0.0-beta.471.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

This vulnerability affects Coolify versions prior to 4.0.0-beta.471 and represents a critical command injection flaw in the deployment process. The vulnerability stems from improper input sanitization where pre-deployment and post-deployment commands undergo single-quote escaping but are subsequently transmitted via SSH heredoc transport mechanisms that preserve newline characters. This combination creates an exploitable condition where authenticated users can inject malicious shell commands that execute on remote servers during deployment operations.

The technical implementation of this vulnerability leverages the fact that while individual command arguments receive single-quote escaping, the heredoc transport mechanism does not strip or properly sanitize newline characters that may be present in user-supplied input. When these commands are processed by the remote shell, the preserved newlines allow attackers to append additional shell statements that execute with the privileges of the deployment process. This represents a classic command injection vulnerability where the escaping mechanism is bypassed through transport layer characteristics rather than direct input validation failures.

From an operational perspective, this vulnerability enables authenticated attackers to execute arbitrary commands on remote servers with the same privileges as the deployment service. The impact extends beyond simple code execution to potential privilege escalation and system compromise, particularly if the deployment process runs with elevated permissions. Attackers could potentially establish persistent access, exfiltrate data, or disrupt services through unauthorized command execution within the deployment environment.

This vulnerability aligns with CWE-78 which specifically addresses OS Command Injection vulnerabilities, and maps to ATT&CK technique T1059.004 for command and scripting interpreter. The attack surface is limited to authenticated users who have access to deployment configuration, but the impact can be severe given that these users typically possess sufficient privileges to affect production systems. The fix implemented in version 4.0.0-beta.471 likely involves enhanced input sanitization that properly handles newline characters during heredoc transport or alternative command execution mechanisms that do not rely on potentially vulnerable transport methods.

Organizations using Coolify should immediately upgrade to version 4.0.0-beta.471 or later to mitigate this vulnerability. Additionally, administrators should implement network segmentation and privilege separation for deployment processes to limit the potential impact of successful exploitation. Monitoring for unusual command execution patterns during deployment operations can help detect potential exploitation attempts. The vulnerability demonstrates the importance of considering transport layer characteristics when implementing input sanitization and highlights the need for comprehensive security testing that considers edge cases in data transmission mechanisms.

Responsible

GitHub M

Reservation

03/25/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!