Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the executeInDocker() helper wraps commands in bash -c '{$command}' without escaping single quotes. User-controlled docker_compose_custom_build_command and docker_compose_custom_start_command fields are interpolated directly, allowing a single quote to break out of the bash -c argument and execute commands on the managed server host (outside the intended Docker container context). This vulnerability is fixed in 4.0.0-beta.464.
Published: 2026-06-30
Score: 6.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw exists in Coolify’s executeInDocker() helper, which wraps user-supplied commands in a bash -c string without escaping single quotes. This allows a single‑quote injection that escapes the intended argument and executes arbitrary shell commands on the host, outside the Docker container. The vulnerability can be immediately exploited to run any commands with the host’s privileges and was addressed by upgrading to version 4.0.0‑beta.464.

Affected Systems

All installations of Coollabsio Coolify that are running a version before 4.0.0‑beta.464 and expose the docker_compose_custom_build_command or docker_compose_custom_start_command fields are vulnerable. Anyone with write access to these fields can trigger the injection. No other Coolify releases or components are affected.

Risk and Exploitability

The CVSS score of 6.6 indicates a moderate severity, and the EPSS score is not available, so the current exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog, but it provides a clear attack path: an authenticated user who can modify the custom command fields can execute commands on the host. Because the impact is full remote command execution, the risk remains significant, especially for environments where untrusted users have write access to those fields.

Generated by OpenCVE AI on June 30, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Coolify to version 4.0.0‑beta.464 or newer.
  • Disable or restrict the docker_compose_custom_build_command and docker_compose_custom_start_command fields for all users who should not be able to run arbitrary commands.
  • Implement proper input validation and escape single quotes in any user‑supplied command string to eliminate injection vectors.

Generated by OpenCVE AI on June 30, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the executeInDocker() helper wraps commands in bash -c '{$command}' without escaping single quotes. User-controlled docker_compose_custom_build_command and docker_compose_custom_start_command fields are interpolated directly, allowing a single quote to break out of the bash -c argument and execute commands on the managed server host (outside the intended Docker container context). This vulnerability is fixed in 4.0.0-beta.464.
Title Coolify: Command Injection via Single-Quote Breakout in `executeInDocker()`
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T15:01:03.061Z

Reserved: 2026-02-25T03:11:36.691Z

Link: CVE-2026-27955

cve-icon Vulnrichment

Updated: 2026-06-30T15:00:48.352Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:30:16Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')