CVE-2026-42201 in Coolifyinfo

Summary

by MITRE • 07/07/2026

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, database credential fields (redis_password, keydb_password, dragonfly_password, clickhouse_admin_user, clickhouse_admin_password, postgres_user, mysql_user) are validated only as 'string' at the API layer, with zero shell-safety checks. These values are then interpolated directly into Docker Compose YAML command: strings without any escaping. This issue is fixed in version 4.0.0-beta.474.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

This vulnerability exists within Coolify's database credential handling mechanism where sensitive authentication parameters are processed without proper input sanitization or shell escaping measures. The flaw affects multiple database types including redis, keydb, dragonfly, clickhouse, postgres, and mysql by treating all credential fields as simple string values at the API layer without implementing any form of shell safety validation. When these credentials are subsequently interpolated into Docker Compose YAML command strings, they become vulnerable to injection attacks that could potentially compromise the entire infrastructure.

The technical implementation flaw stems from improper input validation practices where credential fields undergo only basic type checking rather than comprehensive sanitization. This design pattern creates a direct path for malicious input to be executed within shell contexts without proper escaping or quoting mechanisms. The vulnerability directly maps to CWE-78 which describes "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" and also aligns with CWE-134 which covers "Use of Externally-Controlled Format String." When user-supplied credential values contain special shell characters or escape sequences, these inputs can be interpreted by the underlying shell during Docker Compose execution, potentially allowing arbitrary command execution.

The operational impact of this vulnerability is significant as it provides attackers with potential access to critical database systems through credential interception and manipulation. An attacker could exploit this by injecting malicious commands within credential fields that would then be executed in the shell context when Coolify attempts to deploy or manage database containers. This creates a privilege escalation vector where unauthorized users might gain control over database services, leading to data breaches, service disruption, or further lateral movement within the infrastructure. The vulnerability affects all versions prior to 4.0.0-beta.474 and represents a critical security gap in Coolify's deployment automation process.

The mitigation strategy requires implementing proper input sanitization and shell escaping mechanisms for all credential fields before interpolation into Docker Compose commands. This includes validating input formats, applying proper quoting and escaping techniques, and ensuring that all user-supplied values are treated as literal strings within shell contexts. The fix implemented in version 4.0.0-beta.474 addresses this issue by introducing comprehensive validation and sanitization checks at the API layer to prevent dangerous characters from being passed through to shell execution contexts. Organizations should also implement principle of least privilege for Coolify deployments, regularly audit credential handling processes, and monitor for suspicious activity in database access logs that might indicate exploitation attempts. This vulnerability demonstrates the critical importance of proper input validation and shell escaping in container orchestration tools and aligns with ATT&CK technique T1059.001 for command and scripting interpreter.

Responsible

GitHub M

Reservation

04/25/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!