CVE-2026-34599 in Coolifyinfo

Summary

by MITRE • 07/06/2026

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, there is an authenticated command injection vulnerability in the GetLogs Livewire component which allows users with team membership (lowest privilege member role) to execute arbitrary commands as root on managed servers. The $container Livewire public property is interpolated directly into shell commands (docker logs, docker service logs) without sanitization, and can be modified by any client via the Livewire wire protocol because it lacks the #[Locked] attribute. This issue is fixed in version 4.0.0-beta.471.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/06/2026

The vulnerability under discussion represents a critical authenticated command injection flaw in Coolify version 4.0.0-beta.470 and earlier, where an attacker with minimal team membership privileges can escalate their access to root-level command execution on managed servers. This security weakness stems from improper input validation within the GetLogs Livewire component that handles container log retrieval operations. The vulnerability specifically affects the $container public property which is directly interpolated into shell commands without any sanitization or validation measures, creating an avenue for arbitrary code execution.

The technical implementation of this flaw occurs through the Livewire framework's wire protocol communication mechanism where the $container property lacks the #[Locked] attribute that would prevent client-side modification. This absence allows authenticated team members to manipulate the container identifier parameter and inject malicious commands that get executed with root privileges due to the privileged execution context of docker logs and docker service logs commands. The flaw essentially transforms a legitimate administrative function into an attack vector for privilege escalation, as the system treats user-supplied input as executable code without proper sanitization.

From an operational impact perspective, this vulnerability creates a severe risk landscape where even the lowest privilege team members can gain complete control over managed servers. The command injection occurs at the operating system level through Docker container management commands, potentially allowing attackers to exfiltrate sensitive data, install backdoors, modify system configurations, or launch further attacks against other systems within the network infrastructure. The root-level execution capability means that compromised systems become potential entry points for broader lateral movement and persistence mechanisms.

The vulnerability aligns with CWE-77 and CWE-94 classifications from the Common Weakness Enumeration catalog, specifically addressing command injection vulnerabilities where user-controllable data is directly used in system commands without proper sanitization. According to MITRE ATT&CK framework, this represents a privilege escalation technique through command injection (T1059.003) followed by persistence mechanisms (T1078) and defense evasion (T1070). The fix implemented in version 4.0.0-beta.471 addresses the core issue by properly sanitizing input parameters and applying the #[Locked] attribute to prevent unauthorized modification of critical properties within the Livewire component.

Mitigation strategies should include immediate upgrade to Coolify version 4.0.0-beta.471 or later to address the root cause of the vulnerability. Organizations should also implement network segmentation and access controls to limit team member privileges where possible, though this does not fully address the inherent flaw in the application's code structure. Additional defensive measures include monitoring for unusual command execution patterns in Docker container logs, implementing strict input validation policies, and conducting regular security assessments of Livewire components within the application stack to identify similar vulnerabilities. The incident highlights the critical importance of proper input sanitization and attribute protection in web applications that interact with system-level commands.

Responsible

GitHub M

Reservation

03/30/2026

Disclosure

07/06/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!