Input Validation Flaw in Coolify Affects Docker Deployment Security
CVE-2026-42201

3.3LOW

Key Information:

Vendor

Coollabsio

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-42201?

Coolify, an open-source server management tool, suffers from an input validation flaw affecting several database credential fields. In versions prior to 4.0.0-beta.474, these fields were validated only as strings without robust shell-safety checks at the API layer, creating a security vulnerability. Consequently, user-supplied credentials were directly interpolated into a Docker Compose YAML command without proper escaping, potentially allowing for command injection risks. The issue has been addressed in the specified version.

Affected Version(s)

coolify < 4.0.0-beta.474

References

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.