Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-34038: Critical Coolify RCE via Authenticated Command Injection (CVSS 9.9)
CVE-2026-34038: Critical Coolify RCE via Authenticated Command Injection (CVSS 9.9)

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-34038

CVE-2026-34038: Critical Coolify RCE via Authenticated Command Injection (CVSS 9.9)

A critical command injection vulnerability in Coolify's deployment pipeline allows any authenticated user with write access to execute arbitrary OS commands and exfiltrate all environment variables — including API keys and database credentials — on the host system.

Dylan H.

Security Team

July 7, 2026
5 min read

Affected Products

  • Coolify < 4.0.0-beta.469

Executive Summary

A critical authenticated remote command injection vulnerability (CVE-2026-34038) has been disclosed in Coolify, the popular open-source self-hostable PaaS platform used by tens of thousands of developers and small businesses as an alternative to Heroku and Vercel. The flaw carries a CVSS score of 9.9 and allows any user with write access on a Coolify instance to execute arbitrary OS commands on the underlying host and dump all environment variables — including API keys, database credentials, and secrets — directly through deployment logs.

CVSS Score: 9.9 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

The flaw is fixed in Coolify 4.0.0-beta.469. Administrators running any earlier version should update immediately and rotate all secrets stored in their Coolify deployments.


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-34038
CWECWE-78 (Improper Neutralization of Special Elements in OS Commands)
CVSS Score9.9 (Critical)
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow (any authenticated user with write access)
User InteractionNone
ScopeChanged (C) — host-level impact from application context
GitHub AdvisoryGHSA-qqrq-r9h4-x6wp

Affected Versions

SoftwareAffected VersionsFixed Version
CoolifyAll versions up to and including 4.0.0-beta.4624.0.0-beta.469

Technical Details

The vulnerability exists in ApplicationDeploymentJob.php and arises from two user-controlled fields that are passed directly into Docker build commands without adequate shell escaping:

  1. dockerfile_location — a user-supplied file path inserted into Docker build commands without sanitization
  2. pre_deployment_command — a native shell command field with insufficient input validation

An attacker injects standard shell metacharacters (;, &&, backticks) to break out of the intended command boundaries. A minimal proof-of-concept payload:

; echo 'EXPLOIT_START'; env; echo 'EXPLOIT_END'; #

When placed in the pre_deployment_command field and a deployment is triggered, this chains arbitrary commands into the build pipeline. The output appears in deployment logs, which any user with read:sensitive permissions can access — resulting in full exfiltration of every environment variable loaded into the deployment context.

Attack Chain

1. Attacker authenticates to Coolify with any write-privilege account
2. Attacker sets dockerfile_location or pre_deployment_command to malicious payload
3. Attacker triggers a deployment (or waits for scheduled deployment)
4. Shell metacharacters break out of intended command scope
5. Injected commands execute with deployment process privileges on the host
6. env output (API keys, DB creds, secrets) captured in deployment logs
7. Attacker reads logs to harvest all environment variable values

Impact

The S:C (Scope Changed) indicator in the CVSS vector is critical context here. A successful exploit breaks out of the application's security boundary and directly impacts the host system. In shared Coolify deployments where multiple teams or projects coexist, this is effectively a privilege escalation from low-privilege developer to host-level RCE.

Impact AreaDescription
Host RCEExecute arbitrary OS commands with deployment process privileges
Secret ExfiltrationDump all env vars — API keys, DB passwords, tokens, TLS keys
Lateral MovementPivot from compromised Coolify host to other networked systems
PersistenceBackdoors installable without malware flagging (process-based)
Data BreachAccess to all databases configured in Coolify deployments

Remediation

Immediate Action: Update to 4.0.0-beta.469

# Via Coolify self-update (recommended)
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash
 
# Check current version in Coolify dashboard:
# Settings > General > Coolify Version

The patch in beta.469 implements:

  • Strict input validation using allowlist regex (e.g., ^[a-zA-Z0-9._\-/]+$) on path inputs
  • escapeshellarg() wrapping on all user-supplied values inserted into shell commands
  • Path traversal blocking — .. sequences are rejected at the validation layer

If Immediate Update Is Not Possible

  1. Restrict Coolify write access — audit all user accounts; revoke write permissions from accounts that do not require deployment access
  2. Audit deployment logs for unexpected command output or environment variable dumps
  3. Rotate all secrets in Coolify environment variables as a precautionary measure
  4. Disable external-facing deployments until patching is complete if operating in a shared environment

Post-Patch Credential Rotation

Because this vulnerability could have been silently exploited before disclosure, rotate secrets even after patching:

# Identify all secrets stored in your Coolify environment variables
# Then rotate in order of criticality:
# 1. Database passwords
# 2. API keys (cloud providers, payment processors, third-party services)
# 3. OAuth secrets / JWT signing keys
# 4. TLS private keys if stored as env vars
# 5. Notification / webhook tokens

Detection Indicators

IndicatorDescription
Unexpected env output in deployment logsClassic env-dump exfiltration payload executed
Shell metacharacters in deployment config fieldsAttacker-controlled injection points
Deployment logs containing output from unexpected commandsInjected commands ran alongside build
Unusual outbound connections from the Coolify hostPost-exploitation data exfiltration

References

  • NVD — CVE-2026-34038
  • GitHub Advisory — GHSA-qqrq-r9h4-x6wp
  • Coolify GitHub — coollabsio/coolify
#CVE-2026-34038#Coolify#RCE#Command Injection#Self-Hosted#PaaS#Critical

Related Articles

UniFi Connect Critical RCE via Command Injection CVE-2026-50746

A maximum-severity command injection vulnerability in Ubiquiti's UniFi Connect Application allows any network-accessible attacker to execute arbitrary OS...

4 min read

UniFi Access Application Command Injection RCE CVE-2026-50748

An improper input validation flaw in Ubiquiti's UniFi Access Application enables low-privileged network attackers to inject OS commands and execute...

4 min read

CVE-2026-5433: Honeywell CNM Critical Command Injection RCE

A CVSS 9.1 critical command injection vulnerability in Honeywell's Control Network Module web interface allows remote attackers to execute arbitrary...

6 min read
Back to all Security Alerts