CVE-2026-34597 in coolify
Summary
by MITRE • 06/30/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution (RCE) vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for the Nixpacks build pack. Specifically, the install_command provided by a user is directly concatenated into a shell command string that is executed on the deployment host during the building phase. An attacker can leverage this to escape the intended build context and execute arbitrary commands with host-level privileges. This vulnerability is fixed in 4.0.0-beta.470.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/30/2026
The Coolify platform presents a critical security vulnerability classified as authenticated remote code execution that affects versions prior to 4.0.0-beta.470. This vulnerability stems from improper handling of user-defined build parameters within the Nixpacks build pack functionality, creating a dangerous condition where attacker-controlled input directly influences shell command execution. The flaw represents a severe breach in the principle of least privilege and demonstrates inadequate input sanitization mechanisms that allow malicious actors with valid credentials to escalate their privileges beyond the intended application boundaries.
The technical implementation of this vulnerability occurs during the deployment phase when Coolify processes user-provided installation commands through the Nixpacks build system. The system directly concatenates the user-defined install_command parameter into a shell command string without proper sanitization or validation, creating a classic command injection scenario. This design flaw allows attackers to manipulate the build process by injecting malicious shell commands that execute with the privileges of the deployment host. The vulnerability specifically targets the build context where user input is treated as executable code rather than data, violating fundamental security principles of input validation and command execution isolation.
The operational impact of this authenticated RCE vulnerability extends far beyond typical application-level compromises, as successful exploitation grants attackers complete control over the underlying deployment host. An attacker with valid user credentials can execute arbitrary commands with host-level privileges, potentially leading to full system compromise, data exfiltration, or lateral movement within the infrastructure. This vulnerability particularly affects self-hosted deployments where Coolify manages multiple applications and databases, creating a single point of failure that could impact entire server environments. The authenticated nature of the exploit means that only users with legitimate access rights need to be compromised, making this threat particularly dangerous in environments with shared or privileged accounts.
Security controls designed to prevent such vulnerabilities include implementing proper input validation, using parameterized command execution instead of string concatenation, and employing sandboxed execution environments for build processes. The fix implemented in version 4.0.0-beta.470 addresses this issue by properly sanitizing user input before incorporating it into shell commands, thereby preventing command injection attacks. Organizations should also consider implementing additional security measures such as privilege separation, containerization of build processes, and regular security audits of third-party tools. This vulnerability aligns with CWE-78 (Improper Neutralization of Special Elements used in OS Commands) and maps to ATT&CK technique T1059.004 (Command and Scripting Interpreter: Unix Shell) demonstrating the importance of proper command execution handling in security architectures.
The remediation process requires immediate upgrading to version 4.0.0-beta.470 or later, which implements proper input sanitization and validation mechanisms for build parameters. Security teams should also conduct thorough assessments of all systems running vulnerable versions, review access controls to limit user privileges, and implement monitoring solutions to detect potential exploitation attempts. Organizations may need to consider additional defensive measures such as network segmentation, privileged access management, and regular penetration testing to ensure comprehensive protection against similar vulnerabilities in other components of their infrastructure stack.