CVE-2026-59734 in Coolifyinfo

Summary

by MITRE • 07/09/2026

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, Coolify's app/Jobs/ApplicationDeploymentJob.php generate_healthcheck_commands() function directly interpolated the health_check_host, health_check_method, and health_check_path parameters into shell commands without proper sanitization, allowing authenticated users to execute arbitrary commands inside deployment containers. This issue is fixed in version 4.0.0-beta.469.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability in Coolify affects versions prior to 4.0.0-beta.469 and stems from a critical command injection flaw within the application deployment process. The ApplicationDeploymentJob.php file contains a function named generate_healthcheck_commands() that directly interpolates user-supplied parameters into shell commands without adequate sanitization or validation. This design flaw creates an environment where authenticated users can manipulate deployment configurations to inject malicious shell commands that will execute within the deployment containers. The affected parameters include health_check_host, health_check_method, and health_check_path which are processed through a command construction mechanism that does not properly escape or validate user input before incorporating it into system calls.

This vulnerability represents a classic command injection weakness that aligns with CWE-78 and CWE-88 categories, where insufficient sanitization of external input leads to arbitrary code execution. The attack vector requires authentication since only authenticated users can modify application deployment configurations, but once exploited, the impact extends to full command execution capabilities within the deployment containers. The security implications are significant because deployment containers often run with elevated privileges and may have access to sensitive data, network resources, and system functionalities that could be leveraged by an attacker.

The operational impact of this vulnerability is severe as it allows authenticated attackers to execute arbitrary commands on systems where Coolify is deployed. Attackers can potentially escalate their privileges, exfiltrate sensitive data, modify application configurations, or even establish persistent access through the deployment containers. The vulnerability affects the core deployment functionality of Coolify, making it a critical security concern for organizations relying on this self-hosted management tool. Organizations using older versions face risks of unauthorized command execution that could compromise entire deployment environments and potentially lead to broader system compromise.

Mitigation strategies should prioritize immediate upgrade to version 4.0.0-beta.469 or later where the vulnerability has been addressed through proper input sanitization and validation. Administrators should also implement additional security controls including limiting administrative privileges, monitoring deployment configuration changes, and conducting regular security assessments of deployment processes. The fix in the updated version likely involves implementing proper shell escaping mechanisms and parameter validation before command construction, aligning with best practices recommended by the ATT&CK framework for preventing command injection attacks. Organizations should also consider implementing network segmentation and access controls to limit the potential impact of successful exploitation attempts.

Responsible

GitHub M

Reservation

07/06/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!