External risk intelligence

Coolify Command Injection Vulnerability Allows Remote Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-34038

Coolify is a self-hosted management platform for applications, databases, and servers. By its nature as an orchestration and deployment tool, it is commonly deployed as a web-accessible management service or interface to facilitate remote infrastructure control, making its web-based administrative surface frequently accessible over the network.

OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

An authenticated remote command injection vulnerability exists in the application deployment handling of Coolify, a server and application management tool. This flaw could allow a user with write permissions to execute arbitrary code on the system and access sensitive environment variables. The issue is addressed in version 4.0.0-beta.469.

  • Unauthorized code execution and data access risk.
  • Affects systems managing servers and applications.
  • Confirm relevance and exposure to Coolify deployments.

Attack Path

How an attacker could exploit the issue

An attacker with write permissions for an application within Coolify could exploit this vulnerability. By manipulating specific fields related to application deployment, such as `dockerfile_location` or deployment commands, the attacker can inject arbitrary commands. This leads to remote code execution on the server and the potential exfiltration of sensitive environment variables through deployment logs.

  • Authenticated user with write access.
  • Inject commands into deployment fields.
  • Remote code execution and data theft.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an authenticated user with application write permissions could execute arbitrary commands on the server, potentially leading to the exfiltration of sensitive environment variables through deployment logs.

  • Server environment variables at risk.
  • Via application deployment handling.
  • Sensitive data exfiltration possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for managing Coolify instances, given its role in server, application, and database management. The first practical step is to identify all deployed instances, confirm their exposure and business criticality, and then ascertain the accountable owner to plan remediation.

  • Confirm application owner and instance exposure.
  • Verify affected deployments and associated data.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Coolify?

Coolify is an open-source, self-hosted platform used to manage servers, databases, and application deployments. It acts as a centralized dashboard that automates infrastructure tasks, allowing users to coordinate various software environments and deployment pipelines from a single web interface.

What does CVE-2026-34038 mean?

This CVE describes a command injection vulnerability, classified as CWE-78. In simple terms, the software fails to properly sanitize input in specific deployment fields, allowing a user to insert unauthorized system commands. Because Coolify processes these commands during application deployment, an attacker can trick the system into running malicious instructions on the host server.

How is this vulnerability triggered?

An attacker must already have authenticated access to the Coolify instance with application write permissions. The flaw is triggered by manipulating configuration fields like the Dockerfile location or custom deployment commands. It does not trigger if a user lacks these specific write permissions or interacts with read-only components of the platform.

Is my instance relevant to this risk?

Halo Surface Signal indicates that because Coolify is an orchestration tool, it is often configured as a web-accessible management service for remote infrastructure control. If your Coolify instance is accessible over the network, it faces a higher likelihood of being reachable by an attacker who has compromised a user account with the necessary write permissions.

What should I do if I use Coolify?

Your first step is to verify the version of your Coolify instance. If you are running any version prior to 4.0.0-beta.469, you are affected by this vulnerability. You should prioritize updating your software to version 4.0.0-beta.469 or later to apply the necessary fix and mitigate the risk of unauthorized remote code execution.

References