Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
138 vulnerabilities by coollabsio
CVE-2026-42201 (GCVE-0-2026-42201)
Vulnerability from nvd – Published: 2026-07-07 03:29 – Updated: 2026-07-07 03:29
VLAI
Title
Coolify: OS Command Injection via Database Credential Fields in Docker Compose Service Commands
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, database credential fields (redis_password, keydb_password, dragonfly_password, clickhouse_admin_user, clickhouse_admin_password, postgres_user, mysql_user) are validated only as 'string' at the API layer, with zero shell-safety checks. These values are then interpolated directly into Docker Compose YAML command: strings without any escaping. This issue is fixed in version 4.0.0-beta.474.
Severity
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9676 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/bff6… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.474
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.474"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, database credential fields (redis_password, keydb_password, dragonfly_password, clickhouse_admin_user, clickhouse_admin_password, postgres_user, mysql_user) are validated only as \u0027string\u0027 at the API layer, with zero shell-safety checks. These values are then interpolated directly into Docker Compose YAML command: strings without any escaping. This issue is fixed in version 4.0.0-beta.474."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:29:13.739Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f35h-g2c2-q36v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f35h-g2c2-q36v"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9676",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9676"
},
{
"name": "https://github.com/coollabsio/coolify/commit/bff6d853708f3d7c861279586f107739036e67da",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/bff6d853708f3d7c861279586f107739036e67da"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474"
}
],
"source": {
"advisory": "GHSA-f35h-g2c2-q36v",
"discovery": "UNKNOWN"
},
"title": "Coolify: OS Command Injection via Database Credential Fields in Docker Compose Service Commands"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42201",
"datePublished": "2026-07-07T03:29:13.739Z",
"dateReserved": "2026-04-25T05:04:37.027Z",
"dateUpdated": "2026-07-07T03:29:13.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34158 (GCVE-0-2026-34158)
Vulnerability from nvd – Published: 2026-07-07 03:28 – Updated: 2026-07-07 03:28
VLAI
Title
Coolify: Command injection via single-quote breakout in Docker Compose custom commands
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, the executeInDocker() helper wraps user-controlled commands in single quotes without escaping embedded single quotes. Attackers who can edit application settings can inject a single quote into docker_compose_custom_build_command or docker_compose_custom_start_command to break out of the quoted context and execute arbitrary commands on the managed server host during deployments, escaping the intended Docker container confinement. This issue is fixed in version 4.0.0-beta.469.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.469
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.469"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, the executeInDocker() helper wraps user-controlled commands in single quotes without escaping embedded single quotes. Attackers who can edit application settings can inject a single quote into docker_compose_custom_build_command or docker_compose_custom_start_command to break out of the quoted context and execute arbitrary commands on the managed server host during deployments, escaping the intended Docker container confinement. This issue is fixed in version 4.0.0-beta.469."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:28:33.647Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-j6j2-frv3-g6f7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-j6j2-frv3-g6f7"
}
],
"source": {
"advisory": "GHSA-j6j2-frv3-g6f7",
"discovery": "UNKNOWN"
},
"title": "Coolify: Command injection via single-quote breakout in Docker Compose custom commands"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34158",
"datePublished": "2026-07-07T03:28:33.647Z",
"dateReserved": "2026-03-25T20:12:04.196Z",
"dateUpdated": "2026-07-07T03:28:33.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42200 (GCVE-0-2026-42200)
Vulnerability from nvd – Published: 2026-07-07 02:48 – Updated: 2026-07-07 02:48
VLAI
Title
Coolify: PostgreSQL Init Script Path Traversal Leads to Arbitrary File Write and Root RCE
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL initialization script (generate_init_scripts() method in app/Actions/Database/StartPostgresql.php) filename handling did not sufficiently restrict paths, allowing an authenticated user to write files outside the intended directory and achieve command execution through database initialization. This issue is fixed in version 4.0.0-beta.474.
Severity
8.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9681 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/1cf6… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.474
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.474"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL initialization script (generate_init_scripts() method in app/Actions/Database/StartPostgresql.php) filename handling did not sufficiently restrict paths, allowing an authenticated user to write files outside the intended directory and achieve command execution through database initialization. This issue is fixed in version 4.0.0-beta.474."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T02:48:04.402Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-mv4c-9x67-rrmv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-mv4c-9x67-rrmv"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9681",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9681"
},
{
"name": "https://github.com/coollabsio/coolify/commit/1cf6c7d0aef8e0edb800ae43f44ded102397cb13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/1cf6c7d0aef8e0edb800ae43f44ded102397cb13"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474"
}
],
"source": {
"advisory": "GHSA-mv4c-9x67-rrmv",
"discovery": "UNKNOWN"
},
"title": "Coolify: PostgreSQL Init Script Path Traversal Leads to Arbitrary File Write and Root RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42200",
"datePublished": "2026-07-07T02:48:04.402Z",
"dateReserved": "2026-04-25T05:04:37.027Z",
"dateUpdated": "2026-07-07T02:48:04.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42172 (GCVE-0-2026-42172)
Vulnerability from nvd – Published: 2026-07-07 02:52 – Updated: 2026-07-07 02:52
VLAI
Title
Coolify: Sanctum API Tokens Have No Expiration — Leaked Tokens Grant Permanent Access
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain access indefinitely until manually revoked. This issue is fixed in version 4.0.0-beta.474.
Severity
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9677 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/b1a7… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.474
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.474"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain access indefinitely until manually revoked. This issue is fixed in version 4.0.0-beta.474."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T02:52:58.684Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-c83f-5ph7-x8xv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-c83f-5ph7-x8xv"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9677",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9677"
},
{
"name": "https://github.com/coollabsio/coolify/commit/b1a78df58efe3ac38679d18c888b5817c7f01216",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/b1a78df58efe3ac38679d18c888b5817c7f01216"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474"
}
],
"source": {
"advisory": "GHSA-c83f-5ph7-x8xv",
"discovery": "UNKNOWN"
},
"title": "Coolify: Sanctum API Tokens Have No Expiration \u2014 Leaked Tokens Grant Permanent Access"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42172",
"datePublished": "2026-07-07T02:52:58.684Z",
"dateReserved": "2026-04-25T01:53:21.581Z",
"dateUpdated": "2026-07-07T02:52:58.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42147 (GCVE-0-2026-42147)
Vulnerability from nvd – Published: 2026-07-07 03:13 – Updated: 2026-07-07 03:13
VLAI
Title
Coolify: SSRF via S3 Storage Endpoint in testConnection()
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, S3 storage endpoint validation only checks URL format and testConnection() sends a server-side request to the configured endpoint, allowing an authenticated user with storage management permissions to make Coolify request internal or metadata-service URLs. This issue is fixed in version 4.0.0-beta.474.
Severity
4.9 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/297e… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.474
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.474"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, S3 storage endpoint validation only checks URL format and testConnection() sends a server-side request to the configured endpoint, allowing an authenticated user with storage management permissions to make Coolify request internal or metadata-service URLs. This issue is fixed in version 4.0.0-beta.474."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:13:50.436Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-pwm4-w33c-wjf3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-pwm4-w33c-wjf3"
},
{
"name": "https://github.com/coollabsio/coolify/commit/297e9c41e19958f6237919794c28c3fb1d4cda32",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/297e9c41e19958f6237919794c28c3fb1d4cda32"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474"
}
],
"source": {
"advisory": "GHSA-pwm4-w33c-wjf3",
"discovery": "UNKNOWN"
},
"title": "Coolify: SSRF via S3 Storage Endpoint in testConnection()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42147",
"datePublished": "2026-07-07T03:13:50.436Z",
"dateReserved": "2026-04-24T17:15:21.834Z",
"dateUpdated": "2026-07-07T03:13:50.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42145 (GCVE-0-2026-42145)
Vulnerability from nvd – Published: 2026-07-07 03:03 – Updated: 2026-07-07 03:03
VLAI
Title
Coolify: File Upload Without Type or Size Validation in Database Backup Restore
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the file upload endpoint (app/Http/Controllers/UploadController.php) for database backup restore uploads did not enforce file type or size validation, allowing an authenticated user to upload unexpected or oversized files that could affect service availability. This issue is fixed in version 4.0.0-beta.474.
Severity
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9667 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/e6a6… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.474
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.474"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the file upload endpoint (app/Http/Controllers/UploadController.php) for database backup restore uploads did not enforce file type or size validation, allowing an authenticated user to upload unexpected or oversized files that could affect service availability. This issue is fixed in version 4.0.0-beta.474."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:03:58.895Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-66gv-g2w9-6wxp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-66gv-g2w9-6wxp"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9667",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9667"
},
{
"name": "https://github.com/coollabsio/coolify/commit/e6a6446daeace2999fb77888a611a3271812911f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/e6a6446daeace2999fb77888a611a3271812911f"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474"
}
],
"source": {
"advisory": "GHSA-66gv-g2w9-6wxp",
"discovery": "UNKNOWN"
},
"title": "Coolify: File Upload Without Type or Size Validation in Database Backup Restore"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42145",
"datePublished": "2026-07-07T03:03:58.895Z",
"dateReserved": "2026-04-24T17:15:21.834Z",
"dateUpdated": "2026-07-07T03:03:58.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42143 (GCVE-0-2026-42143)
Vulnerability from nvd – Published: 2026-07-07 03:15 – Updated: 2026-07-07 03:15
VLAI
Title
Coolify: OS Command Injection via Persistent Volume Names - Root RCE on Managed Servers
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell commands executed on managed servers without escaping or validation, allowing an authenticated member to inject shell metacharacters and execute commands as root when volume operations are triggered. This issue appears to be fixed in version 4.0.0-beta.471.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/d206… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell commands executed on managed servers without escaping or validation, allowing an authenticated member to inject shell metacharacters and execute commands as root when volume operations are triggered. This issue appears to be fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:15:04.280Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-6pmw-6m96-4v4m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-6pmw-6m96-4v4m"
},
{
"name": "https://github.com/coollabsio/coolify/commit/d2064dd4998694cda2eabd00149f7c4d1e94c699",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/d2064dd4998694cda2eabd00149f7c4d1e94c699"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-6pmw-6m96-4v4m",
"discovery": "UNKNOWN"
},
"title": "Coolify: OS Command Injection via Persistent Volume Names - Root RCE on Managed Servers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42143",
"datePublished": "2026-07-07T03:15:04.280Z",
"dateReserved": "2026-04-24T17:15:21.834Z",
"dateUpdated": "2026-07-07T03:15:04.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34198 (GCVE-0-2026-34198)
Vulnerability from nvd – Published: 2026-07-07 03:01 – Updated: 2026-07-07 03:01
VLAI
Title
Coolify: Password reset link poisoning via X-Forwarded-Host header spoofing
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the TrustProxies middleware trusts all proxies ($proxies = '*'), accepting X-Forwarded-Host from any source. The TrustHosts middleware, intended to prevent host header attacks, has a circular caching dependency that prevents it from ever validating hosts. When a password reset is requested, the ResetPassword notification generates the reset URL using url(route(..., false)), which derives the host from the (spoofable) request. An unauthenticated attacker can trigger a password reset email containing a link pointing to an attacker-controlled domain, enabling token theft and account takeover. This issue is fixed in version 4.0.0-beta.471.
Severity
5.3 (Medium)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9193 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/9856… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the TrustProxies middleware trusts all proxies ($proxies = \u0027*\u0027), accepting X-Forwarded-Host from any source. The TrustHosts middleware, intended to prevent host header attacks, has a circular caching dependency that prevents it from ever validating hosts. When a password reset is requested, the ResetPassword notification generates the reset URL using url(route(..., false)), which derives the host from the (spoofable) request. An unauthenticated attacker can trigger a password reset email containing a link pointing to an attacker-controlled domain, enabling token theft and account takeover. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:01:19.285Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-cgj8-7m5q-x5gv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-cgj8-7m5q-x5gv"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9193",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9193"
},
{
"name": "https://github.com/coollabsio/coolify/commit/98569e4edbfc316877c9e0d27ea89fab3c49e3bd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/98569e4edbfc316877c9e0d27ea89fab3c49e3bd"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-cgj8-7m5q-x5gv",
"discovery": "UNKNOWN"
},
"title": "Coolify: Password reset link poisoning via X-Forwarded-Host header spoofing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34198",
"datePublished": "2026-07-07T03:01:19.285Z",
"dateReserved": "2026-03-26T15:57:52.323Z",
"dateUpdated": "2026-07-07T03:01:19.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34171 (GCVE-0-2026-34171)
Vulnerability from nvd – Published: 2026-07-07 03:07 – Updated: 2026-07-07 03:07
VLAI
Title
Coolify: Account takeover via CSRF-able GET endpoint that resets password to attacker-known value
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GET /invitations/{uuid} endpoint can perform a state-changing password reset using an attacker-known invitation UUID, allowing an attacker who can cause a victim to visit the crafted invitation URL to reset the victim account password to a predictable value. This issue is fixed in version 4.0.0-beta.471.
Severity
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/25d4… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GET /invitations/{uuid} endpoint can perform a state-changing password reset using an attacker-known invitation UUID, allowing an attacker who can cause a victim to visit the crafted invitation URL to reset the victim account password to a predictable value. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:07:50.372Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-389w-cc6x-wr2m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-389w-cc6x-wr2m"
},
{
"name": "https://github.com/coollabsio/coolify/commit/25d424c743d5134d4a005a6d8f754bb3235b632c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/25d424c743d5134d4a005a6d8f754bb3235b632c"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-389w-cc6x-wr2m",
"discovery": "UNKNOWN"
},
"title": "Coolify: Account takeover via CSRF-able GET endpoint that resets password to attacker-known value"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34171",
"datePublished": "2026-07-07T03:07:50.372Z",
"dateReserved": "2026-03-25T20:12:04.198Z",
"dateUpdated": "2026-07-07T03:07:50.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34170 (GCVE-0-2026-34170)
Vulnerability from nvd – Published: 2026-07-07 03:23 – Updated: 2026-07-07 03:23
VLAI
Title
Coolify: Server-Side Request Forgery via attacker-controlled GitHub App API URL
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp api_url field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a GitHub App source that causes Coolify to request internal services or cloud metadata endpoints. This issue is reported as fixed in version 4.0.0-beta.471.
Severity
4.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp api_url field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a GitHub App source that causes Coolify to request internal services or cloud metadata endpoints. This issue is reported as fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:23:40.061Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-3g6r-cxv5-3c7h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-3g6r-cxv5-3c7h"
}
],
"source": {
"advisory": "GHSA-3g6r-cxv5-3c7h",
"discovery": "UNKNOWN"
},
"title": "Coolify: Server-Side Request Forgery via attacker-controlled GitHub App API URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34170",
"datePublished": "2026-07-07T03:23:40.061Z",
"dateReserved": "2026-03-25T20:12:04.198Z",
"dateUpdated": "2026-07-07T03:23:40.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34168 (GCVE-0-2026-34168)
Vulnerability from nvd – Published: 2026-07-07 03:05 – Updated: 2026-07-07 03:05
VLAI
Title
Coolify: Command injection via unsanitized persistent storage name in docker volume commands
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the LocalPersistentVolume.name field is interpolated directly into docker volume shell commands without shell argument escaping, allowing an authenticated user to set a storage name containing shell metacharacters and execute commands on managed servers when the resource is deleted. This issue is fixed in version 4.0.0-beta.471.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/d206… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the LocalPersistentVolume.name field is interpolated directly into docker volume shell commands without shell argument escaping, allowing an authenticated user to set a storage name containing shell metacharacters and execute commands on managed servers when the resource is deleted. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:05:18.855Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-mh8x-fppq-cp77",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-mh8x-fppq-cp77"
},
{
"name": "https://github.com/coollabsio/coolify/commit/d2064dd4998694cda2eabd00149f7c4d1e94c699",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/d2064dd4998694cda2eabd00149f7c4d1e94c699"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-mh8x-fppq-cp77",
"discovery": "UNKNOWN"
},
"title": "Coolify: Command injection via unsanitized persistent storage name in docker volume commands"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34168",
"datePublished": "2026-07-07T03:05:18.855Z",
"dateReserved": "2026-03-25T20:12:04.198Z",
"dateUpdated": "2026-07-07T03:05:18.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34152 (GCVE-0-2026-34152)
Vulnerability from nvd – Published: 2026-07-07 03:11 – Updated: 2026-07-07 03:11
VLAI
Title
Coolify: Command Injection via Newline in Pre/Post Deployment Commands (Heredoc Transport)
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, pre-deployment and post-deployment commands are single-quote escaped but then sent through SSH heredoc transport that preserves newlines, allowing an authenticated user to inject additional shell statements that execute on the remote server during deployment. This issue is fixed in version 4.0.0-beta.471.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9173 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/ad95… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, pre-deployment and post-deployment commands are single-quote escaped but then sent through SSH heredoc transport that preserves newlines, allowing an authenticated user to inject additional shell statements that execute on the remote server during deployment. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:11:14.111Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-5qp8-9gg7-4c86",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-5qp8-9gg7-4c86"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9173",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9173"
},
{
"name": "https://github.com/coollabsio/coolify/commit/ad95d65aca064f49b38f73f88d61f842737d5463",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/ad95d65aca064f49b38f73f88d61f842737d5463"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-5qp8-9gg7-4c86",
"discovery": "UNKNOWN"
},
"title": "Coolify: Command Injection via Newline in Pre/Post Deployment Commands (Heredoc Transport)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34152",
"datePublished": "2026-07-07T03:11:14.111Z",
"dateReserved": "2026-03-25T20:12:04.196Z",
"dateUpdated": "2026-07-07T03:11:14.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34149 (GCVE-0-2026-34149)
Vulnerability from nvd – Published: 2026-07-07 03:09 – Updated: 2026-07-07 03:09
VLAI
Title
Coolify: Authenticated Host-Level RCE via Unescaped Database Credentials in Backup Jobs
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, DatabaseBackupJob interpolates user-controlled database credentials and MongoDB collection exclusion names into backup shell commands without adequate escaping, allowing an authenticated user with database management permissions to execute commands on managed servers. This issue is fixed in version 4.0.0-beta.471.
Severity
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/952f… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/9904… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, DatabaseBackupJob interpolates user-controlled database credentials and MongoDB collection exclusion names into backup shell commands without adequate escaping, allowing an authenticated user with database management permissions to execute commands on managed servers. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:09:33.827Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-4vff-6j8j-qhcg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-4vff-6j8j-qhcg"
},
{
"name": "https://github.com/coollabsio/coolify/commit/952f3247970d261ff93f85c79066192f58f9557e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/952f3247970d261ff93f85c79066192f58f9557e"
},
{
"name": "https://github.com/coollabsio/coolify/commit/99043600ee881fd8581185e7590604d9882382cd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/99043600ee881fd8581185e7590604d9882382cd"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-4vff-6j8j-qhcg",
"discovery": "UNKNOWN"
},
"title": "Coolify: Authenticated Host-Level RCE via Unescaped Database Credentials in Backup Jobs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34149",
"datePublished": "2026-07-07T03:09:33.827Z",
"dateReserved": "2026-03-25T20:12:04.196Z",
"dateUpdated": "2026-07-07T03:09:33.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34058 (GCVE-0-2026-34058)
Vulnerability from nvd – Published: 2026-07-07 02:58 – Updated: 2026-07-07 02:58
VLAI
Title
Coolify: OS Command Injection via Unmanaged Container Operations - Remote Code Execution
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Livewire component Server\Resources exposes public methods (startUnmanaged, stopUnmanaged, restartUnmanaged) that accept a container ID parameter directly from the browser without any sanitization or escaping. This parameter is interpolated directly into shell commands executed via SSH on managed servers, enabling any authenticated team member to execute arbitrary OS commands on remote servers. This issue is fixed in version 4.0.0-beta.471.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9172 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/944a… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Livewire component Server\\Resources exposes public methods (startUnmanaged, stopUnmanaged, restartUnmanaged) that accept a container ID parameter directly from the browser without any sanitization or escaping. This parameter is interpolated directly into shell commands executed via SSH on managed servers, enabling any authenticated team member to execute arbitrary OS commands on remote servers. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T02:58:57.633Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-rh5x-qx77-fq9v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-rh5x-qx77-fq9v"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9172",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9172"
},
{
"name": "https://github.com/coollabsio/coolify/commit/944a038349216f00b390e905c121355adc8b23c1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/944a038349216f00b390e905c121355adc8b23c1"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-rh5x-qx77-fq9v",
"discovery": "UNKNOWN"
},
"title": "Coolify: OS Command Injection via Unmanaged Container Operations - Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34058",
"datePublished": "2026-07-07T02:58:57.633Z",
"dateReserved": "2026-03-25T15:29:04.747Z",
"dateUpdated": "2026-07-07T02:58:57.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34057 (GCVE-0-2026-34057)
Vulnerability from nvd – Published: 2026-07-07 03:17 – Updated: 2026-07-07 03:17
VLAI
Title
Coolify: Authenticated Remote Code Execution via Command Injection in Database Import Container Name
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component (app/Livewire/Project/Database/Import.php) allows client-controlled container and server properties to reach shell commands without locking or validation, allowing an authenticated user to inject commands through a database import container name. This issue is fixed in version 4.0.0-beta.471.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/d486… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component (app/Livewire/Project/Database/Import.php) allows client-controlled container and server properties to reach shell commands without locking or validation, allowing an authenticated user to inject commands through a database import container name. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:17:37.605Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-6r3g-w7x8-54fj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-6r3g-w7x8-54fj"
},
{
"name": "https://github.com/coollabsio/coolify/commit/d486bf09ab2da8ad78fa721a079f066c76ce08d2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/d486bf09ab2da8ad78fa721a079f066c76ce08d2"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-6r3g-w7x8-54fj",
"discovery": "UNKNOWN"
},
"title": "Coolify: Authenticated Remote Code Execution via Command Injection in Database Import Container Name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34057",
"datePublished": "2026-07-07T03:17:37.605Z",
"dateReserved": "2026-03-25T15:29:04.747Z",
"dateUpdated": "2026-07-07T03:17:37.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34048 (GCVE-0-2026-34048)
Vulnerability from nvd – Published: 2026-07-07 03:19 – Updated: 2026-07-07 03:19
VLAI
Title
Coolify: Missing authorization on terminal websocket bootstrap routes allows low-privileged members to execute commands on team servers
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes and execute commands on team servers. This issue is fixed in version 4.0.0-beta.471.
Severity
9.9 (Critical)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/8471… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes and execute commands on team servers. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:19:42.772Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-mw6q-2hmg-mhxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-mw6q-2hmg-mhxv"
},
{
"name": "https://github.com/coollabsio/coolify/commit/847166a3f89b7c80972fa0d2e5c754976f95b6ad",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/847166a3f89b7c80972fa0d2e5c754976f95b6ad"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-mw6q-2hmg-mhxv",
"discovery": "UNKNOWN"
},
"title": "Coolify: Missing authorization on terminal websocket bootstrap routes allows low-privileged members to execute commands on team servers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34048",
"datePublished": "2026-07-07T03:19:42.772Z",
"dateReserved": "2026-03-25T15:29:04.745Z",
"dateUpdated": "2026-07-07T03:19:42.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34047 (GCVE-0-2026-34047)
Vulnerability from nvd – Published: 2026-07-07 02:54 – Updated: 2026-07-07 02:54
VLAI
Title
Coolify: WebSocket Endpoint Access Control Flaw Leading to Remote Code Execution
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes did not enforce the expected authorization middleware, allowing an authenticated user to access terminal functionality for resources outside the authorized scope and potentially execute commands. This issue is fixed in version 4.0.0-beta.471.
Severity
9.9 (Critical)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9169 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/bc91… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes did not enforce the expected authorization middleware, allowing an authenticated user to access terminal functionality for resources outside the authorized scope and potentially execute commands. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T02:54:59.968Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-652w-qv22-2r7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-652w-qv22-2r7c"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9169",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9169"
},
{
"name": "https://github.com/coollabsio/coolify/commit/bc91b41f92f1bbb53886a5d7a60335cbf1621cd5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/bc91b41f92f1bbb53886a5d7a60335cbf1621cd5"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-652w-qv22-2r7c",
"discovery": "UNKNOWN"
},
"title": "Coolify: WebSocket Endpoint Access Control Flaw Leading to Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34047",
"datePublished": "2026-07-07T02:54:59.968Z",
"dateReserved": "2026-03-25T15:29:04.745Z",
"dateUpdated": "2026-07-07T02:54:59.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34044 (GCVE-0-2026-34044)
Vulnerability from nvd – Published: 2026-07-07 03:12 – Updated: 2026-07-07 03:12
VLAI
Title
Coolify: Cross-team IDOR in logs component (resource lookup not team-scoped)
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the Logs::mount() component looks up resources by UUID without scoping the lookup to the current team, allowing an authenticated user to access logs for applications owned by other teams by supplying a victim resource UUID. This issue is fixed in version 4.0.0-beta.466.
Severity
7.7 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/6fbb… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.466
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.466"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the Logs::mount() component looks up resources by UUID without scoping the lookup to the current team, allowing an authenticated user to access logs for applications owned by other teams by supplying a victim resource UUID. This issue is fixed in version 4.0.0-beta.466."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:12:30.401Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-565g-9j4m-wqmr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-565g-9j4m-wqmr"
},
{
"name": "https://github.com/coollabsio/coolify/commit/6fbb5e626a82c576ae7a1a08b4e1d16aee2e82ed",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/6fbb5e626a82c576ae7a1a08b4e1d16aee2e82ed"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.466",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.466"
}
],
"source": {
"advisory": "GHSA-565g-9j4m-wqmr",
"discovery": "UNKNOWN"
},
"title": "Coolify: Cross-team IDOR in logs component (resource lookup not team-scoped)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34044",
"datePublished": "2026-07-07T03:12:30.401Z",
"dateReserved": "2026-03-25T15:29:04.745Z",
"dateUpdated": "2026-07-07T03:12:30.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34037 (GCVE-0-2026-34037)
Vulnerability from nvd – Published: 2026-07-07 03:21 – Updated: 2026-07-07 03:21
VLAI
Title
Cross-Tenant Resource Cloning via Broken Object-Level Authorization in cloneTo()
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an authenticated user to clone resources into destinations owned by other teams and access cross-tenant resources. This issue is fixed in version 4.0.0-beta.464.
Severity
9.9 (Critical)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/1759… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.464
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.464"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an authenticated user to clone resources into destinations owned by other teams and access cross-tenant resources. This issue is fixed in version 4.0.0-beta.464."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:21:52.088Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-ggrr-wrvr-x83v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-ggrr-wrvr-x83v"
},
{
"name": "https://github.com/coollabsio/coolify/commit/1759a1631cd63271ebf6caa250c6d93440eaa333",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/1759a1631cd63271ebf6caa250c6d93440eaa333"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.464",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.464"
}
],
"source": {
"advisory": "GHSA-ggrr-wrvr-x83v",
"discovery": "UNKNOWN"
},
"title": "Cross-Tenant Resource Cloning via Broken Object-Level Authorization in cloneTo()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34037",
"datePublished": "2026-07-07T03:21:52.088Z",
"dateReserved": "2026-03-25T15:29:04.744Z",
"dateUpdated": "2026-07-07T03:21:52.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34035 (GCVE-0-2026-34035)
Vulnerability from nvd – Published: 2026-07-07 02:56 – Updated: 2026-07-07 02:56
VLAI
Title
Coolify: Host RCE via Log Drain secret/env command injection
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, log drain secret and environment values were interpolated into shell commands without sufficient encoding, allowing an authenticated user to inject commands executed on the host. This issue is fixed in version 4.0.0-beta.466.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/fcd5… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.466
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.466"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, log drain secret and environment values were interpolated into shell commands without sufficient encoding, allowing an authenticated user to inject commands executed on the host. This issue is fixed in version 4.0.0-beta.466."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T02:56:44.328Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-3xm2-hqg8-4m2p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-3xm2-hqg8-4m2p"
},
{
"name": "https://github.com/coollabsio/coolify/commit/fcd574e1eb1c2f504c48e5be4a5cb6d69f8f1f55",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/fcd574e1eb1c2f504c48e5be4a5cb6d69f8f1f55"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.466",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.466"
}
],
"source": {
"advisory": "GHSA-3xm2-hqg8-4m2p",
"discovery": "UNKNOWN"
},
"title": "Coolify: Host RCE via Log Drain secret/env command injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34035",
"datePublished": "2026-07-07T02:56:44.328Z",
"dateReserved": "2026-03-25T15:29:04.744Z",
"dateUpdated": "2026-07-07T02:56:44.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34034 (GCVE-0-2026-34034)
Vulnerability from nvd – Published: 2026-07-07 03:06 – Updated: 2026-07-07 03:06
VLAI
Title
Coolify: Host RCE via Sentinel token injection
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the sentinel_token setting is used in shell commands without sufficient validation, allowing an authenticated user with access to server Sentinel settings to inject shell syntax and execute commands on the host when Sentinel is restarted. This issue is fixed in version 4.0.0-beta.466.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/096d… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.466
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.466"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the sentinel_token setting is used in shell commands without sufficient validation, allowing an authenticated user with access to server Sentinel settings to inject shell syntax and execute commands on the host when Sentinel is restarted. This issue is fixed in version 4.0.0-beta.466."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:06:31.815Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-rpr8-p7jc-x844",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-rpr8-p7jc-x844"
},
{
"name": "https://github.com/coollabsio/coolify/commit/096d4369e59b3db7ace2db3ca42588c41b9b6019",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/096d4369e59b3db7ace2db3ca42588c41b9b6019"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.466",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.466"
}
],
"source": {
"advisory": "GHSA-rpr8-p7jc-x844",
"discovery": "UNKNOWN"
},
"title": "Coolify: Host RCE via Sentinel token injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34034",
"datePublished": "2026-07-07T03:06:31.815Z",
"dateReserved": "2026-03-25T15:29:04.743Z",
"dateUpdated": "2026-07-07T03:06:31.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42201 (GCVE-0-2026-42201)
Vulnerability from cvelistv5 – Published: 2026-07-07 03:29 – Updated: 2026-07-07 03:29
VLAI
Title
Coolify: OS Command Injection via Database Credential Fields in Docker Compose Service Commands
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, database credential fields (redis_password, keydb_password, dragonfly_password, clickhouse_admin_user, clickhouse_admin_password, postgres_user, mysql_user) are validated only as 'string' at the API layer, with zero shell-safety checks. These values are then interpolated directly into Docker Compose YAML command: strings without any escaping. This issue is fixed in version 4.0.0-beta.474.
Severity
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9676 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/bff6… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.474
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.474"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, database credential fields (redis_password, keydb_password, dragonfly_password, clickhouse_admin_user, clickhouse_admin_password, postgres_user, mysql_user) are validated only as \u0027string\u0027 at the API layer, with zero shell-safety checks. These values are then interpolated directly into Docker Compose YAML command: strings without any escaping. This issue is fixed in version 4.0.0-beta.474."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:29:13.739Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f35h-g2c2-q36v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f35h-g2c2-q36v"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9676",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9676"
},
{
"name": "https://github.com/coollabsio/coolify/commit/bff6d853708f3d7c861279586f107739036e67da",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/bff6d853708f3d7c861279586f107739036e67da"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474"
}
],
"source": {
"advisory": "GHSA-f35h-g2c2-q36v",
"discovery": "UNKNOWN"
},
"title": "Coolify: OS Command Injection via Database Credential Fields in Docker Compose Service Commands"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42201",
"datePublished": "2026-07-07T03:29:13.739Z",
"dateReserved": "2026-04-25T05:04:37.027Z",
"dateUpdated": "2026-07-07T03:29:13.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34158 (GCVE-0-2026-34158)
Vulnerability from cvelistv5 – Published: 2026-07-07 03:28 – Updated: 2026-07-07 03:28
VLAI
Title
Coolify: Command injection via single-quote breakout in Docker Compose custom commands
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, the executeInDocker() helper wraps user-controlled commands in single quotes without escaping embedded single quotes. Attackers who can edit application settings can inject a single quote into docker_compose_custom_build_command or docker_compose_custom_start_command to break out of the quoted context and execute arbitrary commands on the managed server host during deployments, escaping the intended Docker container confinement. This issue is fixed in version 4.0.0-beta.469.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.469
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.469"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, the executeInDocker() helper wraps user-controlled commands in single quotes without escaping embedded single quotes. Attackers who can edit application settings can inject a single quote into docker_compose_custom_build_command or docker_compose_custom_start_command to break out of the quoted context and execute arbitrary commands on the managed server host during deployments, escaping the intended Docker container confinement. This issue is fixed in version 4.0.0-beta.469."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:28:33.647Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-j6j2-frv3-g6f7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-j6j2-frv3-g6f7"
}
],
"source": {
"advisory": "GHSA-j6j2-frv3-g6f7",
"discovery": "UNKNOWN"
},
"title": "Coolify: Command injection via single-quote breakout in Docker Compose custom commands"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34158",
"datePublished": "2026-07-07T03:28:33.647Z",
"dateReserved": "2026-03-25T20:12:04.196Z",
"dateUpdated": "2026-07-07T03:28:33.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34170 (GCVE-0-2026-34170)
Vulnerability from cvelistv5 – Published: 2026-07-07 03:23 – Updated: 2026-07-07 03:23
VLAI
Title
Coolify: Server-Side Request Forgery via attacker-controlled GitHub App API URL
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp api_url field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a GitHub App source that causes Coolify to request internal services or cloud metadata endpoints. This issue is reported as fixed in version 4.0.0-beta.471.
Severity
4.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp api_url field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a GitHub App source that causes Coolify to request internal services or cloud metadata endpoints. This issue is reported as fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:23:40.061Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-3g6r-cxv5-3c7h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-3g6r-cxv5-3c7h"
}
],
"source": {
"advisory": "GHSA-3g6r-cxv5-3c7h",
"discovery": "UNKNOWN"
},
"title": "Coolify: Server-Side Request Forgery via attacker-controlled GitHub App API URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34170",
"datePublished": "2026-07-07T03:23:40.061Z",
"dateReserved": "2026-03-25T20:12:04.198Z",
"dateUpdated": "2026-07-07T03:23:40.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34037 (GCVE-0-2026-34037)
Vulnerability from cvelistv5 – Published: 2026-07-07 03:21 – Updated: 2026-07-07 03:21
VLAI
Title
Cross-Tenant Resource Cloning via Broken Object-Level Authorization in cloneTo()
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an authenticated user to clone resources into destinations owned by other teams and access cross-tenant resources. This issue is fixed in version 4.0.0-beta.464.
Severity
9.9 (Critical)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/1759… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.464
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.464"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an authenticated user to clone resources into destinations owned by other teams and access cross-tenant resources. This issue is fixed in version 4.0.0-beta.464."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:21:52.088Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-ggrr-wrvr-x83v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-ggrr-wrvr-x83v"
},
{
"name": "https://github.com/coollabsio/coolify/commit/1759a1631cd63271ebf6caa250c6d93440eaa333",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/1759a1631cd63271ebf6caa250c6d93440eaa333"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.464",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.464"
}
],
"source": {
"advisory": "GHSA-ggrr-wrvr-x83v",
"discovery": "UNKNOWN"
},
"title": "Cross-Tenant Resource Cloning via Broken Object-Level Authorization in cloneTo()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34037",
"datePublished": "2026-07-07T03:21:52.088Z",
"dateReserved": "2026-03-25T15:29:04.744Z",
"dateUpdated": "2026-07-07T03:21:52.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34048 (GCVE-0-2026-34048)
Vulnerability from cvelistv5 – Published: 2026-07-07 03:19 – Updated: 2026-07-07 03:19
VLAI
Title
Coolify: Missing authorization on terminal websocket bootstrap routes allows low-privileged members to execute commands on team servers
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes and execute commands on team servers. This issue is fixed in version 4.0.0-beta.471.
Severity
9.9 (Critical)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/8471… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes and execute commands on team servers. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:19:42.772Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-mw6q-2hmg-mhxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-mw6q-2hmg-mhxv"
},
{
"name": "https://github.com/coollabsio/coolify/commit/847166a3f89b7c80972fa0d2e5c754976f95b6ad",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/847166a3f89b7c80972fa0d2e5c754976f95b6ad"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-mw6q-2hmg-mhxv",
"discovery": "UNKNOWN"
},
"title": "Coolify: Missing authorization on terminal websocket bootstrap routes allows low-privileged members to execute commands on team servers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34048",
"datePublished": "2026-07-07T03:19:42.772Z",
"dateReserved": "2026-03-25T15:29:04.745Z",
"dateUpdated": "2026-07-07T03:19:42.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34057 (GCVE-0-2026-34057)
Vulnerability from cvelistv5 – Published: 2026-07-07 03:17 – Updated: 2026-07-07 03:17
VLAI
Title
Coolify: Authenticated Remote Code Execution via Command Injection in Database Import Container Name
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component (app/Livewire/Project/Database/Import.php) allows client-controlled container and server properties to reach shell commands without locking or validation, allowing an authenticated user to inject commands through a database import container name. This issue is fixed in version 4.0.0-beta.471.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/d486… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component (app/Livewire/Project/Database/Import.php) allows client-controlled container and server properties to reach shell commands without locking or validation, allowing an authenticated user to inject commands through a database import container name. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:17:37.605Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-6r3g-w7x8-54fj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-6r3g-w7x8-54fj"
},
{
"name": "https://github.com/coollabsio/coolify/commit/d486bf09ab2da8ad78fa721a079f066c76ce08d2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/d486bf09ab2da8ad78fa721a079f066c76ce08d2"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-6r3g-w7x8-54fj",
"discovery": "UNKNOWN"
},
"title": "Coolify: Authenticated Remote Code Execution via Command Injection in Database Import Container Name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34057",
"datePublished": "2026-07-07T03:17:37.605Z",
"dateReserved": "2026-03-25T15:29:04.747Z",
"dateUpdated": "2026-07-07T03:17:37.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42143 (GCVE-0-2026-42143)
Vulnerability from cvelistv5 – Published: 2026-07-07 03:15 – Updated: 2026-07-07 03:15
VLAI
Title
Coolify: OS Command Injection via Persistent Volume Names - Root RCE on Managed Servers
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell commands executed on managed servers without escaping or validation, allowing an authenticated member to inject shell metacharacters and execute commands as root when volume operations are triggered. This issue appears to be fixed in version 4.0.0-beta.471.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/d206… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell commands executed on managed servers without escaping or validation, allowing an authenticated member to inject shell metacharacters and execute commands as root when volume operations are triggered. This issue appears to be fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:15:04.280Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-6pmw-6m96-4v4m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-6pmw-6m96-4v4m"
},
{
"name": "https://github.com/coollabsio/coolify/commit/d2064dd4998694cda2eabd00149f7c4d1e94c699",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/d2064dd4998694cda2eabd00149f7c4d1e94c699"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-6pmw-6m96-4v4m",
"discovery": "UNKNOWN"
},
"title": "Coolify: OS Command Injection via Persistent Volume Names - Root RCE on Managed Servers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42143",
"datePublished": "2026-07-07T03:15:04.280Z",
"dateReserved": "2026-04-24T17:15:21.834Z",
"dateUpdated": "2026-07-07T03:15:04.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42147 (GCVE-0-2026-42147)
Vulnerability from cvelistv5 – Published: 2026-07-07 03:13 – Updated: 2026-07-07 03:13
VLAI
Title
Coolify: SSRF via S3 Storage Endpoint in testConnection()
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, S3 storage endpoint validation only checks URL format and testConnection() sends a server-side request to the configured endpoint, allowing an authenticated user with storage management permissions to make Coolify request internal or metadata-service URLs. This issue is fixed in version 4.0.0-beta.474.
Severity
4.9 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/297e… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.474
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.474"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, S3 storage endpoint validation only checks URL format and testConnection() sends a server-side request to the configured endpoint, allowing an authenticated user with storage management permissions to make Coolify request internal or metadata-service URLs. This issue is fixed in version 4.0.0-beta.474."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:13:50.436Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-pwm4-w33c-wjf3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-pwm4-w33c-wjf3"
},
{
"name": "https://github.com/coollabsio/coolify/commit/297e9c41e19958f6237919794c28c3fb1d4cda32",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/297e9c41e19958f6237919794c28c3fb1d4cda32"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474"
}
],
"source": {
"advisory": "GHSA-pwm4-w33c-wjf3",
"discovery": "UNKNOWN"
},
"title": "Coolify: SSRF via S3 Storage Endpoint in testConnection()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42147",
"datePublished": "2026-07-07T03:13:50.436Z",
"dateReserved": "2026-04-24T17:15:21.834Z",
"dateUpdated": "2026-07-07T03:13:50.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34044 (GCVE-0-2026-34044)
Vulnerability from cvelistv5 – Published: 2026-07-07 03:12 – Updated: 2026-07-07 03:12
VLAI
Title
Coolify: Cross-team IDOR in logs component (resource lookup not team-scoped)
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the Logs::mount() component looks up resources by UUID without scoping the lookup to the current team, allowing an authenticated user to access logs for applications owned by other teams by supplying a victim resource UUID. This issue is fixed in version 4.0.0-beta.466.
Severity
7.7 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/commit/6fbb… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.466
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.466"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the Logs::mount() component looks up resources by UUID without scoping the lookup to the current team, allowing an authenticated user to access logs for applications owned by other teams by supplying a victim resource UUID. This issue is fixed in version 4.0.0-beta.466."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:12:30.401Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-565g-9j4m-wqmr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-565g-9j4m-wqmr"
},
{
"name": "https://github.com/coollabsio/coolify/commit/6fbb5e626a82c576ae7a1a08b4e1d16aee2e82ed",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/6fbb5e626a82c576ae7a1a08b4e1d16aee2e82ed"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.466",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.466"
}
],
"source": {
"advisory": "GHSA-565g-9j4m-wqmr",
"discovery": "UNKNOWN"
},
"title": "Coolify: Cross-team IDOR in logs component (resource lookup not team-scoped)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34044",
"datePublished": "2026-07-07T03:12:30.401Z",
"dateReserved": "2026-03-25T15:29:04.745Z",
"dateUpdated": "2026-07-07T03:12:30.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}