Command Injection Vulnerability in Coolify by Coollabs.io
CVE-2026-34057

8.8HIGH

Key Information:

Vendor

Coollabsio

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-34057?

Coolify, a self-hostable tool for server management, is susceptible to a command injection vulnerability prior to version 4.0.0-beta.471. This flaw exists within the database import Livewire component, where it permits user-controlled input to access shell commands without adequate locking or validation mechanisms in place. An authenticated user could exploit this weakness by injecting arbitrary commands through the database import container name, potentially compromising the server environment. Users are advised to upgrade to the patched version to secure their systems.

Affected Version(s)

coolify < 4.0.0-beta.471

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.