CVE-2026-34597: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in coollabsio coolify
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution (RCE) vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for the Nixpacks build pack. Specifically, the install_command provided by a user is directly concatenated into a shell command string that is executed on the deployment host during the building phase. An attacker can leverage this to escape the intended build context and execute arbitrary commands with host-level privileges. This vulnerability is fixed in 4.0.0-beta.470.
AI Analysis
Technical Summary
CVE-2026-34597 is an OS command injection vulnerability (CWE-78) in Coolify, an open-source server and application management tool. Before version 4.0.0-beta.470, the install_command parameter in the Nixpacks build pack is directly concatenated into a shell command executed on the deployment host. This improper neutralization of special elements enables authenticated users to escape the intended build context and execute arbitrary commands with host-level privileges. The vulnerability has a CVSS 3.1 score of 8.8, indicating high severity, and is fixed in version 4.0.0-beta.470.
Potential Impact
An authenticated attacker can execute arbitrary commands on the deployment host with host-level privileges during the build phase. This can lead to full system compromise, including confidentiality, integrity, and availability impacts.
Mitigation Recommendations
Upgrade to Coolify version 4.0.0-beta.470 or later, where this vulnerability is fixed. No other mitigation or temporary workaround is indicated in the available data.
CVE-2026-34597: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in coollabsio coolify
Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution (RCE) vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for the Nixpacks build pack. Specifically, the install_command provided by a user is directly concatenated into a shell command string that is executed on the deployment host during the building phase. An attacker can leverage this to escape the intended build context and execute arbitrary commands with host-level privileges. This vulnerability is fixed in 4.0.0-beta.470.
CVSS v3.1
Score 8.8high
Affected software
pkg:github/coollabsio/coolifyRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-34597 is an OS command injection vulnerability (CWE-78) in Coolify, an open-source server and application management tool. Before version 4.0.0-beta.470, the install_command parameter in the Nixpacks build pack is directly concatenated into a shell command executed on the deployment host. This improper neutralization of special elements enables authenticated users to escape the intended build context and execute arbitrary commands with host-level privileges. The vulnerability has a CVSS 3.1 score of 8.8, indicating high severity, and is fixed in version 4.0.0-beta.470.
Potential Impact
An authenticated attacker can execute arbitrary commands on the deployment host with host-level privileges during the build phase. This can lead to full system compromise, including confidentiality, integrity, and availability impacts.
Mitigation Recommendations
Upgrade to Coolify version 4.0.0-beta.470 or later, where this vulnerability is fixed. No other mitigation or temporary workaround is indicated in the available data.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T17:15:52.499Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a42de5d27e9c7971980715d
Added to database: 06/29/2026, 21:06:37 UTC
Last enriched: 06/29/2026, 21:21:19 UTC
Last updated: 06/30/2026, 01:57:20 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.