Command Injection Vulnerability in Coolify - Open-Source Management Tool
CVE-2026-34594

8.8HIGH

Key Information:

Vendor: Coollabsio
Status: Coolify
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-34594?

Coolify, an open-source tool designed for managing servers, applications, and databases, contains a command injection vulnerability that allows users with destination management permissions to execute arbitrary commands on managed servers. This issue arises from the improper handling of the 'network' parameter, which is directly passed to shell commands without appropriate sanitization. This lack of validation potentially allows attackers to perform full remote code execution on the affected systems. The vulnerability has been addressed in version 4.0.0-beta.471.

Affected Version(s)

coolify < 4.0.0-beta.471

References

https://github.com/coollabsio/coolify/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34594 Data

JSON

Coollabsio

What is CVE-2026-34594?

Affected Version(s)

References

CVSS V3.1

Timeline