Remote Code Execution Vulnerability in Coolify by Coollabs
CVE-2026-34149

3.3LOW

Key Information:

Vendor

Coollabsio

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-34149?

Coolify, an open-source and self-hostable management tool for servers and applications, is susceptible to a remote code execution flaw due to insufficient escaping of user-controlled database credentials and MongoDB collection names in backup shell commands. This vulnerability is particularly concerning for authenticated users who have database management permissions, as it could allow them to execute arbitrary commands on the managed servers. The issue has been rectified in version 4.0.0-beta.471, emphasizing the need for users to update their installations promptly.

Affected Version(s)

coolify < 4.0.0-beta.471

References

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.