PT-2026-56136 · Coolify · Coolify
Published
2026-07-07
·
Updated
2026-07-07
·
CVE-2026-34168
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Coolify versions prior to 4.0.0-beta.471
Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. An authenticated user can execute commands on managed servers when a resource is deleted because the
LocalPersistentVolume.name field is interpolated directly into docker volume shell commands without shell argument escaping. This allows the injection of shell metacharacters into the storage name.Recommendations
Update to version 4.0.0-beta.471.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Coolify