PT-2026-56136 · Coolify · Coolify

Published

2026-07-07

·

Updated

2026-07-07

·

CVE-2026-34168

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.471
Description Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. An authenticated user can execute commands on managed servers when a resource is deleted because the LocalPersistentVolume.name field is interpolated directly into docker volume shell commands without shell argument escaping. This allows the injection of shell metacharacters into the storage name.
Recommendations Update to version 4.0.0-beta.471.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-34168

Affected Products

Coolify