CVE-2026-42200 in Coolify
Summary
by MITRE • 07/07/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL initialization script (generate_init_scripts() method in app/Actions/Database/StartPostgresql.php) filename handling did not sufficiently restrict paths, allowing an authenticated user to write files outside the intended directory and achieve command execution through database initialization. This issue is fixed in version 4.0.0-beta.474.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability exists within Coolify's PostgreSQL initialization process where the generate_init_scripts() method fails to properly validate filename inputs during database setup operations. This flaw represents a classic path traversal vulnerability that allows authenticated users to manipulate file paths and write content outside designated directories. The issue specifically affects the application's handling of filenames in the StartPostgresql.php file, which serves as a critical component for database initialization workflows.
Security researchers identified this weakness through careful analysis of the codebase where the method processes user-provided inputs without adequate sanitization or path validation mechanisms. When an authenticated user interacts with the PostgreSQL initialization functionality, they can craft malicious filename inputs that bypass normal directory restrictions. This vulnerability leverages the principle of insufficient input validation which is categorized under CWE-22 Path Traversal attacks and aligns with ATT&CK technique T1059 Command and Scripting Interpreter.
The operational impact of this vulnerability extends beyond simple file system manipulation as it enables authenticated attackers to achieve arbitrary command execution through the database initialization process. Once an attacker successfully writes files outside the intended directory, they can potentially inject malicious code or scripts that execute with the privileges of the Coolify application process. This creates a severe escalation path where unauthorized users can gain control over the server environment and potentially compromise other services running on the same infrastructure.
Mitigation strategies should focus on implementing comprehensive input validation and sanitization within the generate_init_scripts() method to prevent path traversal attempts. The fix in version 4.0.0-beta.474 addresses this by enforcing strict filename handling that validates all inputs against a whitelist of acceptable characters and prevents directory traversal sequences. Organizations should also implement proper access controls and monitor database initialization activities for suspicious file creation patterns. Additionally, security teams should consider implementing principle of least privilege configurations where the Coolify application runs with minimal necessary permissions to reduce potential impact from such vulnerabilities.
This vulnerability demonstrates the critical importance of validating all user inputs in server-side applications, particularly when dealing with file system operations that may be triggered through authenticated workflows. The fix highlights the necessity of proper path validation and input sanitization as fundamental security controls. Security practitioners should also consider implementing automated vulnerability scanning tools that can detect similar path traversal patterns in other components of their application ecosystems. The remediation approach taken by Coolify developers aligns with industry best practices for preventing command injection and file system manipulation attacks, emphasizing the need for robust input validation across all application interfaces.
The vulnerability represents a significant risk to self-hosted environments where Coolify is deployed, as it allows attackers with valid credentials to escalate privileges and compromise entire server infrastructures. This issue underscores the importance of regular security updates and the potential consequences of insufficient input validation in authentication-based systems. Organizations should implement comprehensive testing procedures including penetration testing and code reviews to identify similar vulnerabilities before they can be exploited by malicious actors.