Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
96 vulnerabilities by coollabsio
CVE-2026-42204 (GCVE-0-2026-42204)
Vulnerability from nvd – Published: 2026-07-06 21:17 – Updated: 2026-07-06 21:17
VLAI
Title
Coolify: Authenticated RCE via SHELL_SAFE_COMMAND_PATTERN regression → host root
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.471 through 4.0.0-beta.473, a regression in SHELL_SAFE_COMMAND_PATTERN allowed ampersands in custom Docker Compose build, start, and pre/post-deployment command fields, allowing an authenticated team member to inject shell commands that execute on the host. This issue is fixed in version 4.0.0-beta.474.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9684 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/e1aa… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
>= 4.0.0-beta.471, < 4.0.0-beta.474
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-beta.471, \u003c 4.0.0-beta.474"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.471 through 4.0.0-beta.473, a regression in SHELL_SAFE_COMMAND_PATTERN allowed ampersands in custom Docker Compose build, start, and pre/post-deployment command fields, allowing an authenticated team member to inject shell commands that execute on the host. This issue is fixed in version 4.0.0-beta.474."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:17:16.800Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-chg4-63hm-xv9x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-chg4-63hm-xv9x"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9684",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9684"
},
{
"name": "https://github.com/coollabsio/coolify/commit/e1aac50b745cf499e710b7e35cd2a9d6a1538dd9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/e1aac50b745cf499e710b7e35cd2a9d6a1538dd9"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474"
}
],
"source": {
"advisory": "GHSA-chg4-63hm-xv9x",
"discovery": "UNKNOWN"
},
"title": "Coolify: Authenticated RCE via SHELL_SAFE_COMMAND_PATTERN regression \u2192 host root"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42204",
"datePublished": "2026-07-06T21:17:16.800Z",
"dateReserved": "2026-04-25T05:04:37.027Z",
"dateUpdated": "2026-07-06T21:17:16.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42153 (GCVE-0-2026-42153)
Vulnerability from nvd – Published: 2026-07-06 21:30 – Updated: 2026-07-06 21:30
VLAI
Title
Coolify: PostgreSQL Healthcheck Command Injection Allows Root Code Execution in Container
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL healthcheck command generation used attacker-controlled database settings (postgres_user and postgres_db) in shell-form commands, allowing an authenticated user to inject commands executed in the database container. This issue is fixed in version 4.0.0-beta.474.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9674 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/b74f… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.474
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.474"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL healthcheck command generation used attacker-controlled database settings (postgres_user and postgres_db) in shell-form commands, allowing an authenticated user to inject commands executed in the database container. This issue is fixed in version 4.0.0-beta.474."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:30:44.813Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-gvc4-f276-r88p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-gvc4-f276-r88p"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9674",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9674"
},
{
"name": "https://github.com/coollabsio/coolify/commit/b74f54302b1a857c22c55fe1210d700859b0b3df",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/b74f54302b1a857c22c55fe1210d700859b0b3df"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474"
}
],
"source": {
"advisory": "GHSA-gvc4-f276-r88p",
"discovery": "UNKNOWN"
},
"title": "Coolify: PostgreSQL Healthcheck Command Injection Allows Root Code Execution in Container"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42153",
"datePublished": "2026-07-06T21:30:44.813Z",
"dateReserved": "2026-04-24T17:15:21.835Z",
"dateUpdated": "2026-07-06T21:30:44.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42148 (GCVE-0-2026-42148)
Vulnerability from nvd – Published: 2026-07-06 21:14 – Updated: 2026-07-06 21:14
VLAI
Title
Coolify: Command Injection via Unescaped Version String in Docker Build
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the buildHelperImage method in app/Livewire/Settings/Index.php constructs a Docker build command using the dev_helper_version field without shell escaping, allowing an attacker who can set the helper version and trigger the helper image build in a development environment to execute arbitrary commands on the server. This issue is fixed in version 4.0.0-beta.474.
Severity
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9670 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/dc93… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.474
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.474"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the buildHelperImage method in app/Livewire/Settings/Index.php constructs a Docker build command using the dev_helper_version field without shell escaping, allowing an attacker who can set the helper version and trigger the helper image build in a development environment to execute arbitrary commands on the server. This issue is fixed in version 4.0.0-beta.474."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:14:31.801Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-x9qh-w4c4-54f9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-x9qh-w4c4-54f9"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9670",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9670"
},
{
"name": "https://github.com/coollabsio/coolify/commit/dc9322b11f5f4ab96e56af0df7d4f877e96e5e4c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/dc9322b11f5f4ab96e56af0df7d4f877e96e5e4c"
}
],
"source": {
"advisory": "GHSA-x9qh-w4c4-54f9",
"discovery": "UNKNOWN"
},
"title": "Coolify: Command Injection via Unescaped Version String in Docker Build"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42148",
"datePublished": "2026-07-06T21:14:31.801Z",
"dateReserved": "2026-04-24T17:15:21.834Z",
"dateUpdated": "2026-07-06T21:14:31.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41899 (GCVE-0-2026-41899)
Vulnerability from nvd – Published: 2026-07-06 21:10 – Updated: 2026-07-06 21:10
VLAI
Title
Coolify unauthenticated feedback endpoint allows Discord webhook abuse
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, POST /api/feedback has no authentication, no rate limiting, and no input validation, allowing arbitrary content to be forwarded directly to a Discord webhook and enabling spam, content injection, and webhook abuse. This issue is fixed in version 4.0.0-beta.474.
Severity
6.5 (Medium)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9653 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/371e… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.474
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.474"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, POST /api/feedback has no authentication, no rate limiting, and no input validation, allowing arbitrary content to be forwarded directly to a Discord webhook and enabling spam, content injection, and webhook abuse. This issue is fixed in version 4.0.0-beta.474."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:10:40.097Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-v64c-v633-58xp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-v64c-v633-58xp"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9653",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9653"
},
{
"name": "https://github.com/coollabsio/coolify/commit/371e883c75a87d82c398bf89ee8ad6387348520d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/371e883c75a87d82c398bf89ee8ad6387348520d"
}
],
"source": {
"advisory": "GHSA-v64c-v633-58xp",
"discovery": "UNKNOWN"
},
"title": "Coolify unauthenticated feedback endpoint allows Discord webhook abuse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41899",
"datePublished": "2026-07-06T21:10:40.097Z",
"dateReserved": "2026-04-22T15:11:54.672Z",
"dateUpdated": "2026-07-06T21:10:40.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34599 (GCVE-0-2026-34599)
Vulnerability from nvd – Published: 2026-07-06 21:20 – Updated: 2026-07-06 21:20
VLAI
Title
Coolify: Authenticated Remote Code Execution in GetLogs Livewire Component
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, there is an authenticated command injection vulnerability in the GetLogs Livewire component which allows users with team membership (lowest privilege member role) to execute arbitrary commands as root on managed servers. The $container Livewire public property is interpolated directly into shell commands (docker logs, docker service logs) without sanitization, and can be modified by any client via the Livewire wire protocol because it lacks the #[Locked] attribute. This issue is fixed in version 4.0.0-beta.471.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9229 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/f267… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, there is an authenticated command injection vulnerability in the GetLogs Livewire component which allows users with team membership (lowest privilege member role) to execute arbitrary commands as root on managed servers. The $container Livewire public property is interpolated directly into shell commands (docker logs, docker service logs) without sanitization, and can be modified by any client via the Livewire wire protocol because it lacks the #[Locked] attribute. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:20:56.608Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-q9j6-xcvx-px63",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-q9j6-xcvx-px63"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9229",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9229"
},
{
"name": "https://github.com/coollabsio/coolify/commit/f267a28cb2badc7e712c4592af4d79d090fe5063",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/f267a28cb2badc7e712c4592af4d79d090fe5063"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-q9j6-xcvx-px63",
"discovery": "UNKNOWN"
},
"title": "Coolify: Authenticated Remote Code Execution in GetLogs Livewire Component"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34599",
"datePublished": "2026-07-06T21:20:56.608Z",
"dateReserved": "2026-03-30T17:15:52.499Z",
"dateUpdated": "2026-07-06T21:20:56.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34167 (GCVE-0-2026-34167)
Vulnerability from nvd – Published: 2026-07-06 21:28 – Updated: 2026-07-06 21:28
VLAI
Title
Coolify: Cross-tenant activity log disclosure via unlocked Livewire property in ActivityMonitor
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire's #[Locked] attribute. It loads activities via Activity::find($this->activityId) with no authorization or team scoping. Activity IDs are auto-incrementing integers. Any authenticated user can enumerate activity records across all teams and read the full command output from remote SSH processes, which may include secrets, configuration files, and infrastructure details. This issue is fixed in version 4.0.0-beta.471.
Severity
5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9189 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/2729… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire\u0027s #[Locked] attribute. It loads activities via Activity::find($this-\u003eactivityId) with no authorization or team scoping. Activity IDs are auto-incrementing integers. Any authenticated user can enumerate activity records across all teams and read the full command output from remote SSH processes, which may include secrets, configuration files, and infrastructure details. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:28:24.046Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-962v-gxmw-56hc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-962v-gxmw-56hc"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9189",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9189"
},
{
"name": "https://github.com/coollabsio/coolify/commit/2729dffb3e30167c1ffd642357b7e0bb99b7d180",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/2729dffb3e30167c1ffd642357b7e0bb99b7d180"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-962v-gxmw-56hc",
"discovery": "UNKNOWN"
},
"title": "Coolify: Cross-tenant activity log disclosure via unlocked Livewire property in ActivityMonitor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34167",
"datePublished": "2026-07-06T21:28:24.046Z",
"dateReserved": "2026-03-25T20:12:04.197Z",
"dateUpdated": "2026-07-06T21:28:24.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34153 (GCVE-0-2026-34153)
Vulnerability from nvd – Published: 2026-07-06 21:12 – Updated: 2026-07-06 21:12
VLAI
Title
Coolify LocalFileVolume fs_path command injection enables RCE
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, LocalFileVolume::saveStorageOnServer builds shell commands using unescaped fs_path and parent_dir values before validation, and submitFileStorage does not validate the user-controlled file-mount path before creating a volume, allowing an authenticated user who can add file storage to execute commands when the storage is saved. This issue is fixed in version 4.0.0-beta.471.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9176 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/3fdc… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, LocalFileVolume::saveStorageOnServer builds shell commands using unescaped fs_path and parent_dir values before validation, and submitFileStorage does not validate the user-controlled file-mount path before creating a volume, allowing an authenticated user who can add file storage to execute commands when the storage is saved. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:12:46.488Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-46hp-7m8g-7622",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-46hp-7m8g-7622"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9176",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9176"
},
{
"name": "https://github.com/coollabsio/coolify/commit/3fdce06b654fa3b7b4be59c0faaab6b4546c78de",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/3fdce06b654fa3b7b4be59c0faaab6b4546c78de"
}
],
"source": {
"advisory": "GHSA-46hp-7m8g-7622",
"discovery": "UNKNOWN"
},
"title": "Coolify LocalFileVolume fs_path command injection enables RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34153",
"datePublished": "2026-07-06T21:12:46.488Z",
"dateReserved": "2026-03-25T20:12:04.196Z",
"dateUpdated": "2026-07-06T21:12:46.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34050 (GCVE-0-2026-34050)
Vulnerability from nvd – Published: 2026-07-06 21:08 – Updated: 2026-07-06 21:08
VLAI
Title
Coolify Settings/Updates Livewire component missing instance administrator authorization
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in its mount method, allowing non-admin users to access the Updates settings page and potentially modify auto-update settings or trigger update checks. This issue is fixed in version 4.0.0-beta.471.
Severity
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9206 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/0fed… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in its mount method, allowing non-admin users to access the Updates settings page and potentially modify auto-update settings or trigger update checks. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:08:08.611Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-c339-w3cq-2rjr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-c339-w3cq-2rjr"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9206",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9206"
},
{
"name": "https://github.com/coollabsio/coolify/commit/0fed553207383f384b93cba24d28122065fa67d5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/0fed553207383f384b93cba24d28122065fa67d5"
}
],
"source": {
"advisory": "GHSA-c339-w3cq-2rjr",
"discovery": "UNKNOWN"
},
"title": "Coolify Settings/Updates Livewire component missing instance administrator authorization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34050",
"datePublished": "2026-07-06T21:08:08.611Z",
"dateReserved": "2026-03-25T15:29:04.746Z",
"dateUpdated": "2026-07-06T21:08:08.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34049 (GCVE-0-2026-34049)
Vulnerability from nvd – Published: 2026-07-06 21:22 – Updated: 2026-07-06 21:22
VLAI
Title
Coolify: Command Injection via unsanitized MongoDB collection names in database backup
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.451 through 4.0.0-beta.470, database backup handling for MongoDB collection names did not fully validate shell metacharacters, allowing a highly privileged attacker who can configure backup inputs to inject commands. This issue is fixed in version 4.0.0-beta.471.
Severity
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9168 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/b1de… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
>= 4.0.0-beta.451, < 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-beta.451, \u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.451 through 4.0.0-beta.470, database backup handling for MongoDB collection names did not fully validate shell metacharacters, allowing a highly privileged attacker who can configure backup inputs to inject commands. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:22:46.878Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-4mpw-wcj4-v9pp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-4mpw-wcj4-v9pp"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9168",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9168"
},
{
"name": "https://github.com/coollabsio/coolify/commit/b1de75a7c67ce6aee977bd788b41e61837dbe0b9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/b1de75a7c67ce6aee977bd788b41e61837dbe0b9"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-4mpw-wcj4-v9pp",
"discovery": "UNKNOWN"
},
"title": "Coolify: Command Injection via unsanitized MongoDB collection names in database backup"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34049",
"datePublished": "2026-07-06T21:22:46.878Z",
"dateReserved": "2026-03-25T15:29:04.745Z",
"dateUpdated": "2026-07-06T21:22:46.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32718 (GCVE-0-2026-32718)
Vulnerability from nvd – Published: 2026-07-06 21:04 – Updated: 2026-07-06 21:04
VLAI
Title
Coolify read-scoped API tokens can perform state-changing validation operations
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, mutating API validation endpoints are guarded by read ability, allowing read-scoped API tokens to perform state-changing operations such as validating cloud tokens and servers. This issue is fixed in version 4.0.0-beta.466.
Severity
6.5 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/8893 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/c15b… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.466
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.466"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, mutating API validation endpoints are guarded by read ability, allowing read-scoped API tokens to perform state-changing operations such as validating cloud tokens and servers. This issue is fixed in version 4.0.0-beta.466."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:04:59.845Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f47p-xrgc-977v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f47p-xrgc-977v"
},
{
"name": "https://github.com/coollabsio/coolify/pull/8893",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/8893"
},
{
"name": "https://github.com/coollabsio/coolify/commit/c15bcd56347fc8c535755791e92e4f6c2af17e3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/c15bcd56347fc8c535755791e92e4f6c2af17e3a"
}
],
"source": {
"advisory": "GHSA-f47p-xrgc-977v",
"discovery": "UNKNOWN"
},
"title": "Coolify read-scoped API tokens can perform state-changing validation operations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32718",
"datePublished": "2026-07-06T21:04:59.845Z",
"dateReserved": "2026-03-13T14:33:42.825Z",
"dateUpdated": "2026-07-06T21:04:59.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34038 (GCVE-0-2026-34038)
Vulnerability from nvd – Published: 2026-07-06 20:48 – Updated: 2026-07-06 20:48
VLAI
Title
Coolify authenticated remote command injection leading to RCE and secret exfiltration
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allows users with application write permissions to achieve remote code execution and exfiltrate sensitive environment variables through deployment logs via fields such as dockerfile_location and deployment commands. This issue is fixed in version 4.0.0-beta.469.
Severity
9.9 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9007 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/23f9… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.469
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.469"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allows users with application write permissions to achieve remote code execution and exfiltrate sensitive environment variables through deployment logs via fields such as dockerfile_location and deployment commands. This issue is fixed in version 4.0.0-beta.469."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T20:48:23.396Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-qqrq-r9h4-x6wp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-qqrq-r9h4-x6wp"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9007",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9007"
},
{
"name": "https://github.com/coollabsio/coolify/commit/23f9156c7306b221101f1ebbe4d3c6b5e2522acd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/23f9156c7306b221101f1ebbe4d3c6b5e2522acd"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.469",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.469"
}
],
"source": {
"advisory": "GHSA-qqrq-r9h4-x6wp",
"discovery": "UNKNOWN"
},
"title": "Coolify authenticated remote command injection leading to RCE and secret exfiltration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34038",
"datePublished": "2026-07-06T20:48:23.396Z",
"dateReserved": "2026-03-25T15:29:04.744Z",
"dateUpdated": "2026-07-06T20:48:23.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27957 (GCVE-0-2026-27957)
Vulnerability from nvd – Published: 2026-06-30 14:39 – Updated: 2026-06-30 15:29
VLAI
Title
Coolify: Authenticated RCE via command injection in CA certificate management feature
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, an authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH user on the managed server host. As the SSH user typically would have to either be root or part of the docker group for Coolify to function as intended, this provides complete compromise of the managed server and associated docker containers. This vulnerability is fixed in 4.0.0-beta.464.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.464
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27957",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T15:29:10.351560Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:29:33.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-7g97-c4xv-3cjx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.464"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, an authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH user on the managed server host. As the SSH user typically would have to either be root or part of the docker group for Coolify to function as intended, this provides complete compromise of the managed server and associated docker containers. This vulnerability is fixed in 4.0.0-beta.464."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T14:39:06.297Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-7g97-c4xv-3cjx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-7g97-c4xv-3cjx"
}
],
"source": {
"advisory": "GHSA-7g97-c4xv-3cjx",
"discovery": "UNKNOWN"
},
"title": "Coolify: Authenticated RCE via command injection in CA certificate management feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27957",
"datePublished": "2026-06-30T14:39:06.297Z",
"dateReserved": "2026-02-25T03:24:57.792Z",
"dateUpdated": "2026-06-30T15:29:33.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27956 (GCVE-0-2026-27956)
Vulnerability from nvd – Published: 2026-06-30 14:38 – Updated: 2026-06-30 15:06
VLAI
Title
Coolify: Cross-team application domain enumeration via domains_by_server endpoint
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional uuid query parameter is provided. Any authenticated API user can enumerate domain names (FQDNs) of applications belonging to other teams. This vulnerability is fixed in 4.0.0-beta.464.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.464
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27956",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T15:06:07.402403Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:06:17.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.464"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional uuid query parameter is provided. Any authenticated API user can enumerate domain names (FQDNs) of applications belonging to other teams. This vulnerability is fixed in 4.0.0-beta.464."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T14:38:15.149Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-9x6p-29p3-h466",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-9x6p-29p3-h466"
}
],
"source": {
"advisory": "GHSA-9x6p-29p3-h466",
"discovery": "UNKNOWN"
},
"title": "Coolify: Cross-team application domain enumeration via domains_by_server endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27956",
"datePublished": "2026-06-30T14:38:15.149Z",
"dateReserved": "2026-02-25T03:11:36.691Z",
"dateUpdated": "2026-06-30T15:06:17.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27955 (GCVE-0-2026-27955)
Vulnerability from nvd – Published: 2026-06-30 14:36 – Updated: 2026-06-30 15:01
VLAI
Title
Coolify: Command Injection via Single-Quote Breakout in `executeInDocker()`
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the executeInDocker() helper wraps commands in bash -c '{$command}' without escaping single quotes. User-controlled docker_compose_custom_build_command and docker_compose_custom_start_command fields are interpolated directly, allowing a single quote to break out of the bash -c argument and execute commands on the managed server host (outside the intended Docker container context). This vulnerability is fixed in 4.0.0-beta.464.
Severity
6.6 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.464
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27955",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T15:00:56.216890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:01:03.061Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-6h8g-wpxp-cq98"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.464"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the executeInDocker() helper wraps commands in bash -c \u0027{$command}\u0027 without escaping single quotes. User-controlled docker_compose_custom_build_command and docker_compose_custom_start_command fields are interpolated directly, allowing a single quote to break out of the bash -c argument and execute commands on the managed server host (outside the intended Docker container context). This vulnerability is fixed in 4.0.0-beta.464."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T14:36:41.055Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-6h8g-wpxp-cq98",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-6h8g-wpxp-cq98"
}
],
"source": {
"advisory": "GHSA-6h8g-wpxp-cq98",
"discovery": "UNKNOWN"
},
"title": "Coolify: Command Injection via Single-Quote Breakout in `executeInDocker()`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27955",
"datePublished": "2026-06-30T14:36:41.055Z",
"dateReserved": "2026-02-25T03:11:36.691Z",
"dateUpdated": "2026-06-30T15:01:03.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27883 (GCVE-0-2026-27883)
Vulnerability from nvd – Published: 2026-06-30 14:32 – Updated: 2026-07-01 14:29
VLAI
Title
Coolify: IDOR in Deployment API - Cross-Team Deployment Information Disclosure
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the `GET /api/v1/deployments/{uuid}` endpoint allows any authenticated user to access deployment details belonging to any team, bypassing team-based authorization. The $teamId is extracted from the authentication token but never used to scope the database query. This vulnerability is fixed in 4.0.0-beta.464.
Severity
5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.464
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27883",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T14:29:11.910901Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:29:37.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f6h4-qx26-76jv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.464"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the `GET /api/v1/deployments/{uuid}` endpoint allows any authenticated user to access deployment details belonging to any team, bypassing team-based authorization. The $teamId is extracted from the authentication token but never used to scope the database query. This vulnerability is fixed in 4.0.0-beta.464."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T14:32:25.434Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f6h4-qx26-76jv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f6h4-qx26-76jv"
}
],
"source": {
"advisory": "GHSA-f6h4-qx26-76jv",
"discovery": "UNKNOWN"
},
"title": "Coolify: IDOR in Deployment API - Cross-Team Deployment Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27883",
"datePublished": "2026-06-30T14:32:25.434Z",
"dateReserved": "2026-02-24T15:19:29.716Z",
"dateUpdated": "2026-07-01T14:29:37.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27882 (GCVE-0-2026-27882)
Vulnerability from nvd – Published: 2026-06-30 14:26 – Updated: 2026-06-30 15:58
VLAI
Title
Coolify: Timing Attack in GitLab Webhook Token Validation
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.461, the GitLab webhook endpoint uses a non-constant-time string comparison operator (!==) to validate the webhook secret token. This implementation is vulnerable to timing attacks, which could allow an attacker to gradually discover the secret token by measuring response time differences. This vulnerability is fixed in 4.0.0-beta.461.
Severity
4.8 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.461
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27882",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T15:49:02.818184Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:58:02.524Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-x525-46rq-mr8c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.461"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.461, the GitLab webhook endpoint uses a non-constant-time string comparison operator (!==) to validate the webhook secret token. This implementation is vulnerable to timing attacks, which could allow an attacker to gradually discover the secret token by measuring response time differences. This vulnerability is fixed in 4.0.0-beta.461."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T14:26:44.422Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-x525-46rq-mr8c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-x525-46rq-mr8c"
}
],
"source": {
"advisory": "GHSA-x525-46rq-mr8c",
"discovery": "UNKNOWN"
},
"title": "Coolify: Timing Attack in GitLab Webhook Token Validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27882",
"datePublished": "2026-06-30T14:26:44.422Z",
"dateReserved": "2026-02-24T15:19:29.715Z",
"dateUpdated": "2026-06-30T15:58:02.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27881 (GCVE-0-2026-27881)
Vulnerability from nvd – Published: 2026-06-30 14:28 – Updated: 2026-06-30 19:04
VLAI
Title
Coolify: Cross-team deployment information disclosure via GET /api/v1/deployments/{uuid} (IDOR)
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/deployments/{uuid}` in DeployController.php retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any authenticated API user can read deployment records from other teams by providing a valid deployment UUID. This vulnerability is fixed in 4.0.0-beta.464.
Severity
5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.464
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27881",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T19:04:32.392276Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T19:04:51.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-5p5w-h58c-2h5m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.464"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/deployments/{uuid}` in DeployController.php retrieves deployment details without validating that the deployment belongs to the authenticated user\u0027s team. Any authenticated API user can read deployment records from other teams by providing a valid deployment UUID. This vulnerability is fixed in 4.0.0-beta.464."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T14:28:38.449Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-5p5w-h58c-2h5m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-5p5w-h58c-2h5m"
}
],
"source": {
"advisory": "GHSA-5p5w-h58c-2h5m",
"discovery": "UNKNOWN"
},
"title": "Coolify: Cross-team deployment information disclosure via GET /api/v1/deployments/{uuid} (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27881",
"datePublished": "2026-06-30T14:28:38.449Z",
"dateReserved": "2026-02-24T15:19:29.715Z",
"dateUpdated": "2026-06-30T19:04:51.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42153 (GCVE-0-2026-42153)
Vulnerability from cvelistv5 – Published: 2026-07-06 21:30 – Updated: 2026-07-06 21:30
VLAI
Title
Coolify: PostgreSQL Healthcheck Command Injection Allows Root Code Execution in Container
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL healthcheck command generation used attacker-controlled database settings (postgres_user and postgres_db) in shell-form commands, allowing an authenticated user to inject commands executed in the database container. This issue is fixed in version 4.0.0-beta.474.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9674 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/b74f… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.474
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.474"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL healthcheck command generation used attacker-controlled database settings (postgres_user and postgres_db) in shell-form commands, allowing an authenticated user to inject commands executed in the database container. This issue is fixed in version 4.0.0-beta.474."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:30:44.813Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-gvc4-f276-r88p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-gvc4-f276-r88p"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9674",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9674"
},
{
"name": "https://github.com/coollabsio/coolify/commit/b74f54302b1a857c22c55fe1210d700859b0b3df",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/b74f54302b1a857c22c55fe1210d700859b0b3df"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474"
}
],
"source": {
"advisory": "GHSA-gvc4-f276-r88p",
"discovery": "UNKNOWN"
},
"title": "Coolify: PostgreSQL Healthcheck Command Injection Allows Root Code Execution in Container"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42153",
"datePublished": "2026-07-06T21:30:44.813Z",
"dateReserved": "2026-04-24T17:15:21.835Z",
"dateUpdated": "2026-07-06T21:30:44.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34167 (GCVE-0-2026-34167)
Vulnerability from cvelistv5 – Published: 2026-07-06 21:28 – Updated: 2026-07-06 21:28
VLAI
Title
Coolify: Cross-tenant activity log disclosure via unlocked Livewire property in ActivityMonitor
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire's #[Locked] attribute. It loads activities via Activity::find($this->activityId) with no authorization or team scoping. Activity IDs are auto-incrementing integers. Any authenticated user can enumerate activity records across all teams and read the full command output from remote SSH processes, which may include secrets, configuration files, and infrastructure details. This issue is fixed in version 4.0.0-beta.471.
Severity
5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9189 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/2729… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire\u0027s #[Locked] attribute. It loads activities via Activity::find($this-\u003eactivityId) with no authorization or team scoping. Activity IDs are auto-incrementing integers. Any authenticated user can enumerate activity records across all teams and read the full command output from remote SSH processes, which may include secrets, configuration files, and infrastructure details. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:28:24.046Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-962v-gxmw-56hc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-962v-gxmw-56hc"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9189",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9189"
},
{
"name": "https://github.com/coollabsio/coolify/commit/2729dffb3e30167c1ffd642357b7e0bb99b7d180",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/2729dffb3e30167c1ffd642357b7e0bb99b7d180"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-962v-gxmw-56hc",
"discovery": "UNKNOWN"
},
"title": "Coolify: Cross-tenant activity log disclosure via unlocked Livewire property in ActivityMonitor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34167",
"datePublished": "2026-07-06T21:28:24.046Z",
"dateReserved": "2026-03-25T20:12:04.197Z",
"dateUpdated": "2026-07-06T21:28:24.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34049 (GCVE-0-2026-34049)
Vulnerability from cvelistv5 – Published: 2026-07-06 21:22 – Updated: 2026-07-06 21:22
VLAI
Title
Coolify: Command Injection via unsanitized MongoDB collection names in database backup
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.451 through 4.0.0-beta.470, database backup handling for MongoDB collection names did not fully validate shell metacharacters, allowing a highly privileged attacker who can configure backup inputs to inject commands. This issue is fixed in version 4.0.0-beta.471.
Severity
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9168 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/b1de… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
>= 4.0.0-beta.451, < 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-beta.451, \u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.451 through 4.0.0-beta.470, database backup handling for MongoDB collection names did not fully validate shell metacharacters, allowing a highly privileged attacker who can configure backup inputs to inject commands. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:22:46.878Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-4mpw-wcj4-v9pp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-4mpw-wcj4-v9pp"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9168",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9168"
},
{
"name": "https://github.com/coollabsio/coolify/commit/b1de75a7c67ce6aee977bd788b41e61837dbe0b9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/b1de75a7c67ce6aee977bd788b41e61837dbe0b9"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-4mpw-wcj4-v9pp",
"discovery": "UNKNOWN"
},
"title": "Coolify: Command Injection via unsanitized MongoDB collection names in database backup"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34049",
"datePublished": "2026-07-06T21:22:46.878Z",
"dateReserved": "2026-03-25T15:29:04.745Z",
"dateUpdated": "2026-07-06T21:22:46.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34599 (GCVE-0-2026-34599)
Vulnerability from cvelistv5 – Published: 2026-07-06 21:20 – Updated: 2026-07-06 21:20
VLAI
Title
Coolify: Authenticated Remote Code Execution in GetLogs Livewire Component
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, there is an authenticated command injection vulnerability in the GetLogs Livewire component which allows users with team membership (lowest privilege member role) to execute arbitrary commands as root on managed servers. The $container Livewire public property is interpolated directly into shell commands (docker logs, docker service logs) without sanitization, and can be modified by any client via the Livewire wire protocol because it lacks the #[Locked] attribute. This issue is fixed in version 4.0.0-beta.471.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9229 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/f267… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, there is an authenticated command injection vulnerability in the GetLogs Livewire component which allows users with team membership (lowest privilege member role) to execute arbitrary commands as root on managed servers. The $container Livewire public property is interpolated directly into shell commands (docker logs, docker service logs) without sanitization, and can be modified by any client via the Livewire wire protocol because it lacks the #[Locked] attribute. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:20:56.608Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-q9j6-xcvx-px63",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-q9j6-xcvx-px63"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9229",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9229"
},
{
"name": "https://github.com/coollabsio/coolify/commit/f267a28cb2badc7e712c4592af4d79d090fe5063",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/f267a28cb2badc7e712c4592af4d79d090fe5063"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471"
}
],
"source": {
"advisory": "GHSA-q9j6-xcvx-px63",
"discovery": "UNKNOWN"
},
"title": "Coolify: Authenticated Remote Code Execution in GetLogs Livewire Component"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34599",
"datePublished": "2026-07-06T21:20:56.608Z",
"dateReserved": "2026-03-30T17:15:52.499Z",
"dateUpdated": "2026-07-06T21:20:56.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42204 (GCVE-0-2026-42204)
Vulnerability from cvelistv5 – Published: 2026-07-06 21:17 – Updated: 2026-07-06 21:17
VLAI
Title
Coolify: Authenticated RCE via SHELL_SAFE_COMMAND_PATTERN regression → host root
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.471 through 4.0.0-beta.473, a regression in SHELL_SAFE_COMMAND_PATTERN allowed ampersands in custom Docker Compose build, start, and pre/post-deployment command fields, allowing an authenticated team member to inject shell commands that execute on the host. This issue is fixed in version 4.0.0-beta.474.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9684 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/e1aa… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
>= 4.0.0-beta.471, < 4.0.0-beta.474
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-beta.471, \u003c 4.0.0-beta.474"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.471 through 4.0.0-beta.473, a regression in SHELL_SAFE_COMMAND_PATTERN allowed ampersands in custom Docker Compose build, start, and pre/post-deployment command fields, allowing an authenticated team member to inject shell commands that execute on the host. This issue is fixed in version 4.0.0-beta.474."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:17:16.800Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-chg4-63hm-xv9x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-chg4-63hm-xv9x"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9684",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9684"
},
{
"name": "https://github.com/coollabsio/coolify/commit/e1aac50b745cf499e710b7e35cd2a9d6a1538dd9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/e1aac50b745cf499e710b7e35cd2a9d6a1538dd9"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474"
}
],
"source": {
"advisory": "GHSA-chg4-63hm-xv9x",
"discovery": "UNKNOWN"
},
"title": "Coolify: Authenticated RCE via SHELL_SAFE_COMMAND_PATTERN regression \u2192 host root"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42204",
"datePublished": "2026-07-06T21:17:16.800Z",
"dateReserved": "2026-04-25T05:04:37.027Z",
"dateUpdated": "2026-07-06T21:17:16.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42148 (GCVE-0-2026-42148)
Vulnerability from cvelistv5 – Published: 2026-07-06 21:14 – Updated: 2026-07-06 21:14
VLAI
Title
Coolify: Command Injection via Unescaped Version String in Docker Build
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the buildHelperImage method in app/Livewire/Settings/Index.php constructs a Docker build command using the dev_helper_version field without shell escaping, allowing an attacker who can set the helper version and trigger the helper image build in a development environment to execute arbitrary commands on the server. This issue is fixed in version 4.0.0-beta.474.
Severity
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9670 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/dc93… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.474
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.474"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the buildHelperImage method in app/Livewire/Settings/Index.php constructs a Docker build command using the dev_helper_version field without shell escaping, allowing an attacker who can set the helper version and trigger the helper image build in a development environment to execute arbitrary commands on the server. This issue is fixed in version 4.0.0-beta.474."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:14:31.801Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-x9qh-w4c4-54f9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-x9qh-w4c4-54f9"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9670",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9670"
},
{
"name": "https://github.com/coollabsio/coolify/commit/dc9322b11f5f4ab96e56af0df7d4f877e96e5e4c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/dc9322b11f5f4ab96e56af0df7d4f877e96e5e4c"
}
],
"source": {
"advisory": "GHSA-x9qh-w4c4-54f9",
"discovery": "UNKNOWN"
},
"title": "Coolify: Command Injection via Unescaped Version String in Docker Build"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42148",
"datePublished": "2026-07-06T21:14:31.801Z",
"dateReserved": "2026-04-24T17:15:21.834Z",
"dateUpdated": "2026-07-06T21:14:31.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34153 (GCVE-0-2026-34153)
Vulnerability from cvelistv5 – Published: 2026-07-06 21:12 – Updated: 2026-07-06 21:12
VLAI
Title
Coolify LocalFileVolume fs_path command injection enables RCE
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, LocalFileVolume::saveStorageOnServer builds shell commands using unescaped fs_path and parent_dir values before validation, and submitFileStorage does not validate the user-controlled file-mount path before creating a volume, allowing an authenticated user who can add file storage to execute commands when the storage is saved. This issue is fixed in version 4.0.0-beta.471.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9176 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/3fdc… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, LocalFileVolume::saveStorageOnServer builds shell commands using unescaped fs_path and parent_dir values before validation, and submitFileStorage does not validate the user-controlled file-mount path before creating a volume, allowing an authenticated user who can add file storage to execute commands when the storage is saved. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:12:46.488Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-46hp-7m8g-7622",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-46hp-7m8g-7622"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9176",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9176"
},
{
"name": "https://github.com/coollabsio/coolify/commit/3fdce06b654fa3b7b4be59c0faaab6b4546c78de",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/3fdce06b654fa3b7b4be59c0faaab6b4546c78de"
}
],
"source": {
"advisory": "GHSA-46hp-7m8g-7622",
"discovery": "UNKNOWN"
},
"title": "Coolify LocalFileVolume fs_path command injection enables RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34153",
"datePublished": "2026-07-06T21:12:46.488Z",
"dateReserved": "2026-03-25T20:12:04.196Z",
"dateUpdated": "2026-07-06T21:12:46.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41899 (GCVE-0-2026-41899)
Vulnerability from cvelistv5 – Published: 2026-07-06 21:10 – Updated: 2026-07-06 21:10
VLAI
Title
Coolify unauthenticated feedback endpoint allows Discord webhook abuse
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, POST /api/feedback has no authentication, no rate limiting, and no input validation, allowing arbitrary content to be forwarded directly to a Discord webhook and enabling spam, content injection, and webhook abuse. This issue is fixed in version 4.0.0-beta.474.
Severity
6.5 (Medium)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9653 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/371e… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.474
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.474"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, POST /api/feedback has no authentication, no rate limiting, and no input validation, allowing arbitrary content to be forwarded directly to a Discord webhook and enabling spam, content injection, and webhook abuse. This issue is fixed in version 4.0.0-beta.474."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:10:40.097Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-v64c-v633-58xp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-v64c-v633-58xp"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9653",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9653"
},
{
"name": "https://github.com/coollabsio/coolify/commit/371e883c75a87d82c398bf89ee8ad6387348520d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/371e883c75a87d82c398bf89ee8ad6387348520d"
}
],
"source": {
"advisory": "GHSA-v64c-v633-58xp",
"discovery": "UNKNOWN"
},
"title": "Coolify unauthenticated feedback endpoint allows Discord webhook abuse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41899",
"datePublished": "2026-07-06T21:10:40.097Z",
"dateReserved": "2026-04-22T15:11:54.672Z",
"dateUpdated": "2026-07-06T21:10:40.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34050 (GCVE-0-2026-34050)
Vulnerability from cvelistv5 – Published: 2026-07-06 21:08 – Updated: 2026-07-06 21:08
VLAI
Title
Coolify Settings/Updates Livewire component missing instance administrator authorization
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in its mount method, allowing non-admin users to access the Updates settings page and potentially modify auto-update settings or trigger update checks. This issue is fixed in version 4.0.0-beta.471.
Severity
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9206 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/0fed… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.471
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.471"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in its mount method, allowing non-admin users to access the Updates settings page and potentially modify auto-update settings or trigger update checks. This issue is fixed in version 4.0.0-beta.471."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:08:08.611Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-c339-w3cq-2rjr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-c339-w3cq-2rjr"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9206",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9206"
},
{
"name": "https://github.com/coollabsio/coolify/commit/0fed553207383f384b93cba24d28122065fa67d5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/0fed553207383f384b93cba24d28122065fa67d5"
}
],
"source": {
"advisory": "GHSA-c339-w3cq-2rjr",
"discovery": "UNKNOWN"
},
"title": "Coolify Settings/Updates Livewire component missing instance administrator authorization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34050",
"datePublished": "2026-07-06T21:08:08.611Z",
"dateReserved": "2026-03-25T15:29:04.746Z",
"dateUpdated": "2026-07-06T21:08:08.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32718 (GCVE-0-2026-32718)
Vulnerability from cvelistv5 – Published: 2026-07-06 21:04 – Updated: 2026-07-06 21:04
VLAI
Title
Coolify read-scoped API tokens can perform state-changing validation operations
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, mutating API validation endpoints are guarded by read ability, allowing read-scoped API tokens to perform state-changing operations such as validating cloud tokens and servers. This issue is fixed in version 4.0.0-beta.466.
Severity
6.5 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/8893 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/c15b… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.466
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.466"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, mutating API validation endpoints are guarded by read ability, allowing read-scoped API tokens to perform state-changing operations such as validating cloud tokens and servers. This issue is fixed in version 4.0.0-beta.466."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T21:04:59.845Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f47p-xrgc-977v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f47p-xrgc-977v"
},
{
"name": "https://github.com/coollabsio/coolify/pull/8893",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/8893"
},
{
"name": "https://github.com/coollabsio/coolify/commit/c15bcd56347fc8c535755791e92e4f6c2af17e3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/c15bcd56347fc8c535755791e92e4f6c2af17e3a"
}
],
"source": {
"advisory": "GHSA-f47p-xrgc-977v",
"discovery": "UNKNOWN"
},
"title": "Coolify read-scoped API tokens can perform state-changing validation operations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32718",
"datePublished": "2026-07-06T21:04:59.845Z",
"dateReserved": "2026-03-13T14:33:42.825Z",
"dateUpdated": "2026-07-06T21:04:59.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34038 (GCVE-0-2026-34038)
Vulnerability from cvelistv5 – Published: 2026-07-06 20:48 – Updated: 2026-07-06 20:48
VLAI
Title
Coolify authenticated remote command injection leading to RCE and secret exfiltration
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allows users with application write permissions to achieve remote code execution and exfiltrate sensitive environment variables through deployment logs via fields such as dockerfile_location and deployment commands. This issue is fixed in version 4.0.0-beta.469.
Severity
9.9 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
| https://github.com/coollabsio/coolify/pull/9007 | x_refsource_MISC |
| https://github.com/coollabsio/coolify/commit/23f9… | x_refsource_MISC |
| https://github.com/coollabsio/coolify/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.469
|
{
"containers": {
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.469"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allows users with application write permissions to achieve remote code execution and exfiltrate sensitive environment variables through deployment logs via fields such as dockerfile_location and deployment commands. This issue is fixed in version 4.0.0-beta.469."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T20:48:23.396Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-qqrq-r9h4-x6wp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-qqrq-r9h4-x6wp"
},
{
"name": "https://github.com/coollabsio/coolify/pull/9007",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/9007"
},
{
"name": "https://github.com/coollabsio/coolify/commit/23f9156c7306b221101f1ebbe4d3c6b5e2522acd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/23f9156c7306b221101f1ebbe4d3c6b5e2522acd"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.469",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.469"
}
],
"source": {
"advisory": "GHSA-qqrq-r9h4-x6wp",
"discovery": "UNKNOWN"
},
"title": "Coolify authenticated remote command injection leading to RCE and secret exfiltration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34038",
"datePublished": "2026-07-06T20:48:23.396Z",
"dateReserved": "2026-03-25T15:29:04.744Z",
"dateUpdated": "2026-07-06T20:48:23.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27957 (GCVE-0-2026-27957)
Vulnerability from cvelistv5 – Published: 2026-06-30 14:39 – Updated: 2026-06-30 15:29
VLAI
Title
Coolify: Authenticated RCE via command injection in CA certificate management feature
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, an authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH user on the managed server host. As the SSH user typically would have to either be root or part of the docker group for Coolify to function as intended, this provides complete compromise of the managed server and associated docker containers. This vulnerability is fixed in 4.0.0-beta.464.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.464
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27957",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T15:29:10.351560Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:29:33.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-7g97-c4xv-3cjx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.464"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, an authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH user on the managed server host. As the SSH user typically would have to either be root or part of the docker group for Coolify to function as intended, this provides complete compromise of the managed server and associated docker containers. This vulnerability is fixed in 4.0.0-beta.464."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T14:39:06.297Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-7g97-c4xv-3cjx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-7g97-c4xv-3cjx"
}
],
"source": {
"advisory": "GHSA-7g97-c4xv-3cjx",
"discovery": "UNKNOWN"
},
"title": "Coolify: Authenticated RCE via command injection in CA certificate management feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27957",
"datePublished": "2026-06-30T14:39:06.297Z",
"dateReserved": "2026-02-25T03:24:57.792Z",
"dateUpdated": "2026-06-30T15:29:33.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27956 (GCVE-0-2026-27956)
Vulnerability from cvelistv5 – Published: 2026-06-30 14:38 – Updated: 2026-06-30 15:06
VLAI
Title
Coolify: Cross-team application domain enumeration via domains_by_server endpoint
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional uuid query parameter is provided. Any authenticated API user can enumerate domain names (FQDNs) of applications belonging to other teams. This vulnerability is fixed in 4.0.0-beta.464.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/coollabsio/coolify/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.464
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27956",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T15:06:07.402403Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:06:17.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.464"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional uuid query parameter is provided. Any authenticated API user can enumerate domain names (FQDNs) of applications belonging to other teams. This vulnerability is fixed in 4.0.0-beta.464."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T14:38:15.149Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-9x6p-29p3-h466",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-9x6p-29p3-h466"
}
],
"source": {
"advisory": "GHSA-9x6p-29p3-h466",
"discovery": "UNKNOWN"
},
"title": "Coolify: Cross-team application domain enumeration via domains_by_server endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27956",
"datePublished": "2026-06-30T14:38:15.149Z",
"dateReserved": "2026-02-25T03:11:36.691Z",
"dateUpdated": "2026-06-30T15:06:17.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}