Command Injection Vulnerability in Coolify Database Backup Handler
CVE-2026-34049

3.3LOW

Key Information:

Vendor

Coollabsio

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-34049?

Coolify, an open-source tool for managing servers and applications, contains a command injection vulnerability due to improper validation of shell metacharacters in its database backup functionality for MongoDB collection names. This flaw allows attackers with high privileges to inject malicious commands through manipulated backup inputs. The vulnerability affects versions from 4.0.0-beta.451 to 4.0.0-beta.470. Users are advised to upgrade to version 4.0.0-beta.471 or later, where the issue is resolved. For more details, refer to the security advisory and release notes.

Affected Version(s)

coolify >= 4.0.0-beta.451, < 4.0.0-beta.471

References

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.