CVE-2026-42148 in Coolify
Summary
by MITRE • 07/07/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the buildHelperImage method in app/Livewire/Settings/Index.php constructs a Docker build command using the dev_helper_version field without shell escaping, allowing an attacker who can set the helper version and trigger the helper image build in a development environment to execute arbitrary commands on the server. This issue is fixed in version 4.0.0-beta.474.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability resides within Coolify's buildHelperImage method implementation in app/Livewire/Settings/Index.php, where the application fails to properly sanitize user-provided input before incorporating it into a Docker build command execution context. This represents a critical command injection flaw that directly violates secure coding principles and exposes the system to arbitrary code execution attacks. The vulnerability specifically targets the dev_helper_version field which serves as an input parameter that gets processed without appropriate shell escaping mechanisms, creating a pathway for malicious actors to manipulate the command execution flow.
The technical implementation of this flaw demonstrates a classic case of insufficient input validation and sanitization within the application's command construction logic. When an attacker can control the dev_helper_version field and subsequently trigger the helper image build process in a development environment, they gain the ability to inject malicious commands that will be executed with the privileges of the Docker build process. This vulnerability operates at the intersection of improper input handling and shell injection techniques, where the lack of proper escaping allows attackers to manipulate the command line arguments passed to the Docker build utility.
The operational impact of this vulnerability extends beyond simple privilege escalation as it provides attackers with full control over the server environment where Coolify is deployed. In development environments that are accessible to untrusted users or when the application is improperly configured, an attacker could potentially execute arbitrary commands including but not limited to file system manipulation, network reconnaissance, data exfiltration, or even persistence mechanisms. The vulnerability's exploitation requires minimal prerequisites as it only necessitates control over a field that should be restricted and proper timing to trigger the vulnerable code path.
This issue aligns with CWE-78 which specifically addresses improper neutralization of special elements used in OS commands, and maps directly to ATT&CK technique T1059.004 for command and script injection. The vulnerability also reflects poor input validation practices that are commonly exploited in web application attacks, particularly within self-hosted tools where the attack surface is often expanded through user-controllable parameters. Organizations using Coolify versions prior to 4.0.0-beta.474 should immediately assess their deployment configurations and ensure that development environments are properly isolated from untrusted users.
The fix implemented in version 4.0.0-beta.474 addresses the root cause by introducing proper shell escaping mechanisms for the dev_helper_version field, ensuring that any special characters or command delimiters provided by users are appropriately neutralized before being incorporated into the Docker build command. This remediation follows established security practices for preventing command injection vulnerabilities and aligns with industry standards for secure application development. Organizations should verify that their systems have been updated to this version and conduct thorough testing to ensure that the fix does not introduce any regressions in functionality while properly mitigating the command execution threat.