PT-2026-56145 · Coolify · Coolify

Published

2026-07-07

·

Updated

2026-07-07

·

CVE-2026-42201

CVSS v3.1

3.3

Low

VectorAV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.474
Description Database credential fields are validated only as strings at the API layer without shell-safety checks. These values are interpolated directly into Docker Compose YAML commands without escaping, which can lead to command injection. The affected variables include redis password, keydb password, dragonfly password, clickhouse admin user, clickhouse admin password, postgres user, and mysql user.
Recommendations Update to version 4.0.0-beta.474.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-42201

Affected Products

Coolify