CVE-2026-42143 in Coolify
Summary
by MITRE • 07/07/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell commands executed on managed servers without escaping or validation, allowing an authenticated member to inject shell metacharacters and execute commands as root when volume operations are triggered. This issue appears to be fixed in version 4.0.0-beta.471.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/07/2026
This vulnerability exists within Coolify, an open-source self-hostable platform designed for server, application, and database management. The flaw manifests in the handling of persistent volume names where user-controlled input is directly interpolated into shell commands executed on managed servers. This represents a classic command injection vulnerability that leverages improper input validation and sanitization practices. The vulnerability affects versions prior to 4.0.0-beta.471 and specifically targets authenticated users who can manipulate volume names through the platform's interface.
The technical implementation of this flaw occurs when Coolify processes user-specified volume names during volume operations such as creation, deletion, or modification. These volume names are directly embedded into shell command strings without proper escaping or validation mechanisms, creating an environment where maliciously crafted input can alter the intended command execution flow. When volume operations are triggered, the system executes commands like "rm -rf /path/to/volume/${volume_name}" where the ${volume_name} variable contains user-controlled content that can include shell metacharacters such as semicolons, ampersands, backticks, or pipe characters. This allows attackers to inject additional commands that execute with the privileges of the root user who manages the server.
The operational impact of this vulnerability is severe and potentially catastrophic for organizations relying on Coolify for infrastructure management. An authenticated attacker can escalate privileges from their regular user account to root access on managed servers, enabling them to execute arbitrary commands, modify system files, install malware, or exfiltrate sensitive data. The attack vector requires only a single authenticated session within the Coolify platform, making it particularly dangerous in environments where multiple users have access. This vulnerability directly maps to CWE-78 "Improper Neutralization of Special Elements used in an OS Command" and aligns with ATT&CK technique T1059.004 "Command and Scripting Interpreter: Unix Shell," specifically targeting the execution of malicious commands through shell injection.
The remediation for this vulnerability involves implementing proper input validation and sanitization measures that prevent special shell characters from being interpreted as command delimiters or operators. Version 4.0.0-beta.471 addresses this issue by introducing proper escaping mechanisms when interpolating user-controlled volume names into shell commands. Organizations should immediately upgrade to this patched version or implement additional mitigations such as using parameterized commands, implementing strict input validation for volume name fields, and employing privilege separation techniques where possible. Security teams should also conduct comprehensive audits of similar code patterns within the platform to identify and remediate potential command injection vulnerabilities in other components that may utilize user-controlled input in shell operations.