CVE-2026-27955

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.464

Description An issue exists where the executeInDocker() helper wraps commands in bash -c '{$command}' without escaping single quotes. This allows user-controlled fields docker compose custom build command and docker compose custom start command to be interpolated directly, enabling an attacker to use a single quote to break out of the bash argument and execute arbitrary commands on the managed server host, bypassing the intended Docker container isolation.

Recommendations Update to version 4.0.0-beta.464.