PT-2026-56008 · Coollabsio · Coolify

Themehackers

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-34038

CVSS v3.1

9.9

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allows users with application write permissions to achieve remote code execution and exfiltrate sensitive environment variables through deployment logs via fields such as dockerfile location and deployment commands. This issue is fixed in version 4.0.0-beta.469.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-34038

Affected Products

Coolify