Authenticated Command Injection Vulnerability in Coolify by Coollabs
CVE-2026-34599
8.8HIGH
What is CVE-2026-34599?
Coolify, an open-source tool for server management, contains an authenticated command injection issue in the GetLogs Livewire component, enabling low-privilege team members to execute arbitrary commands as root on managed servers. The vulnerability arises from the $container Livewire public property being interpolated into shell commands without proper sanitization, allowing manipulation through the Livewire wire protocol. This security flaw affects versions prior to 4.0.0-beta.471 and highlights the critical need for secure coding practices.
Affected Version(s)
coolify < 4.0.0-beta.471
