CVE-2026-34158 in Coolify
Summary
by MITRE • 07/07/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, the executeInDocker() helper wraps user-controlled commands in single quotes without escaping embedded single quotes. Attackers who can edit application settings can inject a single quote into docker_compose_custom_build_command or docker_compose_custom_start_command to break out of the quoted context and execute arbitrary commands on the managed server host during deployments, escaping the intended Docker container confinement. This issue is fixed in version 4.0.0-beta.469.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability identified in Coolify versions prior to 4.0.0-beta.469 represents a critical command injection flaw that undermines the fundamental security boundaries of containerized deployments. This issue manifests through the executeInDocker() helper function which processes user-controlled inputs without proper sanitization, creating an environment where malicious actors can manipulate deployment workflows. The vulnerability specifically affects the docker_compose_custom_build_command and docker_compose_custom_start_command configuration parameters, which are designed to allow users to customize their deployment processes while maintaining security isolation within Docker containers.
The technical implementation of this flaw stems from improper input handling where user-supplied commands undergo single quote wrapping but fail to escape embedded single quotes within the input. This creates a classic command injection vector where attackers can manipulate the execution context by inserting malicious payloads that break out of the intended quoted parameter scope. When an attacker modifies application settings to include a single quote followed by additional shell commands, the system fails to properly sanitize these inputs before executing them within the docker-compose context. The vulnerability directly maps to CWE-78, which defines improper neutralization of special elements used in OS commands, and represents a failure in input validation and output encoding practices that should be implemented at multiple layers of security.
The operational impact of this vulnerability extends beyond simple privilege escalation as it allows attackers to execute arbitrary commands on the host server where Coolify is deployed. This breakout from container confinement essentially nullifies the security benefits of Docker isolation, enabling malicious actors to access sensitive system resources, modify deployed applications, or potentially establish persistent backdoors. The attack surface is particularly concerning because it requires only the ability to edit application settings, which in many deployment scenarios may be accessible to less privileged users or through compromised accounts within the Coolify management interface. This vulnerability aligns with ATT&CK technique T1059.001 for command and scripting interpreter, specifically focusing on the execution of system commands through shell injection.
The remediation implemented in version 4.0.0-beta.469 addresses this issue by introducing proper input sanitization and escaping mechanisms within the executeInDocker() helper function. This fix ensures that all user-controlled inputs are properly escaped before being incorporated into shell commands, preventing the injection of malicious payloads that could break out of quoted contexts. Organizations running vulnerable versions should immediately implement mitigation strategies including restricting write access to application settings, implementing network segmentation around Coolify deployments, and monitoring for unauthorized configuration changes. The vulnerability serves as a stark reminder of the importance of input validation in security-critical functions and highlights the need for comprehensive testing of all user-controllable inputs that ultimately influence system command execution within containerized environments.