Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution (RCE) vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for the Nixpacks build pack. Specifically, the install_command provided by a user is directly concatenated into a shell command string that is executed on the deployment host during the building phase. An attacker can leverage this to escape the intended build context and execute arbitrary commands with host-level privileges. This vulnerability is fixed in 4.0.0-beta.470.
Published: 2026-06-29
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Coolify allows a logged‑in user to inject arbitrary code into the Nixpacks build process. The install_command supplied by a user is concatenated directly into a shell command that runs on the deployment host, giving an attacker the ability to execute host‑level instructions with full system privileges. This vulnerability permits the compromise of the underlying machine and jeopardizes confidentiality, integrity, and availability of all services running on that host.

Affected Systems

The product is Coolify from coollabsio. Versions earlier than 4.0.0‑beta.470 are affected. 4.0.0‑beta.470 and newer contain the fix for this issue.

Risk and Exploitability

The CVSS score of 8.8 classifies the weakness as High severity. No EPSS data is available, and the vulnerability is not yet listed in the CISA KEV catalog, but the requirement for authentication limits the attacker’s scope to accounts that can trigger a build. Once authenticated, the attacker can run arbitrary shell commands on the host during deployment. The lack of a known public exploit does not diminish the potential impact, as the flaw can be executed by anyone with access to the build configuration interface.

Generated by OpenCVE AI on June 29, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Coolify to version 4.0.0‑beta.470 or later
  • If upgrade is not immediately possible, restrict or disable Nixpacks build packs for non‑trusted users and lock build command inputs to mitigate injection
  • After applying the patch, monitor deployment logs for unexpected command execution and verify that install_command values are sanitized

Generated by OpenCVE AI on June 29, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Coollabsio
Coollabsio coolify
Vendors & Products Coollabsio
Coollabsio coolify

Mon, 29 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution (RCE) vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for the Nixpacks build pack. Specifically, the install_command provided by a user is directly concatenated into a shell command string that is executed on the deployment host during the building phase. An attacker can leverage this to escape the intended build context and execute arbitrary commands with host-level privileges. This vulnerability is fixed in 4.0.0-beta.470.
Title Coolify: Authenticated Host RCE
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Coollabsio Coolify
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T13:16:09.274Z

Reserved: 2026-03-30T17:15:52.499Z

Link: CVE-2026-34597

cve-icon Vulnrichment

Updated: 2026-06-30T13:15:55.448Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T02:00:04Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')