Command Injection Vulnerability in Coolify Database Backup Handler
CVE-2026-34049
3.3LOW
What is CVE-2026-34049?
Coolify, an open-source tool for managing servers and applications, contains a command injection vulnerability due to improper validation of shell metacharacters in its database backup functionality for MongoDB collection names. This flaw allows attackers with high privileges to inject malicious commands through manipulated backup inputs. The vulnerability affects versions from 4.0.0-beta.451 to 4.0.0-beta.470. Users are advised to upgrade to version 4.0.0-beta.471 or later, where the issue is resolved. For more details, refer to the security advisory and release notes.
Affected Version(s)
coolify >= 4.0.0-beta.451, < 4.0.0-beta.471
