CVE-2026-42204 in Coolifyinfo

Summary

by MITRE • 07/07/2026

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.471 through 4.0.0-beta.473, a regression in SHELL_SAFE_COMMAND_PATTERN allowed ampersands in custom Docker Compose build, start, and pre/post-deployment command fields, allowing an authenticated team member to inject shell commands that execute on the host. This issue is fixed in version 4.0.0-beta.474.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability affects Coolify versions 4.0.0-beta.471 through 4.0.0-beta.473, representing a critical command injection flaw in the container orchestration and deployment management system. This regression in the SHELL_SAFE_COMMAND_PATTERN validation mechanism created a security gap that allowed authenticated team members to inject malicious shell commands into Docker Compose build, start, and pre/post-deployment command fields. The vulnerability stems from insufficient input sanitization and improper shell command execution handling within the application's deployment pipeline.

The technical flaw manifests through a failure in proper shell escaping and command validation logic. When users define custom commands for Docker Compose operations, the system should properly sanitize inputs to prevent shell metacharacter interpretation. However, the regression allowed ampersands and other shell operators to pass through validation unchecked, enabling attackers to chain multiple commands or execute arbitrary code on the host system where Coolify is running. This represents a classic command injection vulnerability that falls under CWE-78, which specifically addresses improper neutralization of special elements used in shell commands.

The operational impact of this vulnerability is significant as it transforms a legitimate deployment feature into a potential attack vector for privilege escalation and system compromise. An authenticated team member with access to Coolify's deployment configuration can execute arbitrary shell commands on the host server, potentially leading to complete system compromise, data exfiltration, or lateral movement within the network infrastructure. The vulnerability affects the core functionality of application deployment management, making it particularly dangerous in environments where multiple users have access to deployment configurations.

This issue aligns with ATT&CK technique T1059.004 for executing shell commands and potentially T1566 for initial access through compromised credentials or privilege escalation. The vulnerability demonstrates poor input validation practices and highlights the importance of proper command injection prevention mechanisms in container orchestration platforms. Organizations using Coolify in production environments are at risk of unauthorized command execution, which could result in service disruption, data loss, or complete system compromise.

The fix implemented in version 4.0.0-beta.474 addresses this regression by restoring proper SHELL_SAFE_COMMAND_PATTERN validation and ensuring that special shell characters including ampersands are properly escaped or rejected during command processing. Security teams should immediately update to the patched version and review existing deployment configurations for potential command injection attempts. Organizations should also implement additional monitoring for unusual command execution patterns and consider restricting deployment permissions to minimize the attack surface.

The vulnerability underscores the critical importance of input validation in security-sensitive applications, particularly those handling container orchestration commands. It demonstrates how a single regression in validation logic can create a significant security risk in self-hosted management platforms where users have elevated privileges. Proper defense-in-depth strategies should include regular security assessments of custom command execution features and implementation of principle of least privilege for deployment operations.

Organizations deploying Coolify should conduct immediate vulnerability assessments to identify any potential exploitation attempts and ensure that all team members with deployment access are properly vetted and trained on secure configuration practices. The incident highlights the need for comprehensive testing of security regression fixes and proper validation of input sanitization mechanisms in applications handling shell command execution. Regular security updates and patch management procedures should be enforced to prevent similar vulnerabilities from arising in other components of the application stack.

Responsible

GitHub M

Reservation

04/25/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!