Local File Inclusion Vulnerability in Coolify Server Management Tool
CVE-2026-34153

8.8HIGH

Key Information:

Vendor

Coollabsio

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-34153?

Coolify, an open-source server management tool, is susceptible to a Local File Inclusion vulnerability due to improper validation of user-controlled paths in the LocalFileVolume::saveStorageOnServer function. Authenticated users who can add file storage may exploit this weakness to execute arbitrary commands during the storage process. This risk underscores the necessity for robust input validation and secure coding practices. The issue has been addressed in version 4.0.0-beta.471.

Affected Version(s)

coolify < 4.0.0-beta.471

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.