CVE-2026-34153 in Coolifyinfo

Summary

by MITRE • 07/06/2026

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, LocalFileVolume::saveStorageOnServer builds shell commands using unescaped fs_path and parent_dir values before validation, and submitFileStorage does not validate the user-controlled file-mount path before creating a volume, allowing an authenticated user who can add file storage to execute commands when the storage is saved. This issue is fixed in version 4.0.0-beta.471.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability identified in Coolify versions prior to 4.0.0-beta.471 represents a critical command injection flaw that stems from improper input validation and sanitization within the file storage handling mechanisms. This security weakness exists in the LocalFileVolume::saveStorageOnServer method where shell commands are constructed using unescaped fs_path and parent_dir values before any validation occurs. The absence of proper sanitization creates an environment where maliciously crafted paths can be exploited to inject arbitrary shell commands into the system execution flow, fundamentally compromising the integrity and security of the server infrastructure.

The operational impact of this vulnerability extends beyond simple command injection as it allows authenticated users with file storage privileges to execute arbitrary code on the underlying server. The issue becomes particularly dangerous because the submitFileStorage function fails to validate user-controlled file-mount paths before volume creation, creating a direct attack vector for privilege escalation and system compromise. This flaw enables attackers to potentially gain full control over the server environment, execute malicious payloads, and perform unauthorized operations that could lead to data exfiltration, service disruption, or further lateral movement within the network infrastructure.

The technical implementation of this vulnerability aligns with common command injection patterns documented in CWE-78 and CWE-88, where user-supplied data is directly incorporated into shell commands without proper escaping or validation. From an ATT&CK framework perspective, this represents a privilege escalation technique under T1068 and potentially lateral movement through T1566 by leveraging the authenticated access to execute arbitrary code on the target system. The vulnerability essentially transforms a legitimate file storage functionality into a weaponized attack surface that bypasses normal security controls through improper input handling.

Security mitigations for this vulnerability require immediate patching to version 4.0.0-beta.471 or later, which implements proper input validation and sanitization mechanisms. Organizations should also implement additional defensive measures including restricting file storage permissions to minimal necessary access levels, implementing network segmentation around the Coolify deployment, and monitoring for suspicious command execution patterns. The fix addresses the root cause by ensuring that all user-provided paths are properly escaped and validated before being used in shell command construction, thereby preventing the injection of malicious payloads that could compromise system integrity.

Responsible

GitHub M

Reservation

03/25/2026

Disclosure

07/06/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!