CVE-2026-34152

high

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, pre-deployment and post-deployment commands are single-quote escaped but then sent through SSH heredoc transport that preserves newlines, allowing an authenticated user to inject additional shell statements that execute on the remote server during deployment. This issue is fixed in version 4.0.0-beta.471.

References

https://github.com/coollabsio/coolify/security/advisories/GHSA-5qp8-9gg7-4c86

https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471

https://github.com/coollabsio/coolify/pull/9173

https://github.com/coollabsio/coolify/commit/ad95d65aca064f49b38f73f88d61f842737d5463

Details

Source: Mitre, NVD

Published: 2026-07-07

Updated: 2026-07-07

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00372