CVE-2026-34149
LOWCoolify: Authenticated Host-Level RCE via Unescaped Database Credentials in Backup Jobs
Title source: cnaDescription
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, DatabaseBackupJob interpolates user-controlled database credentials and MongoDB collection exclusion names into backup shell commands without adequate escaping, allowing an authenticated user with database management permissions to execute commands on managed servers. This issue is fixed in version 4.0.0-beta.471.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/coollabsio/coolify/security/advisories/GHSA-4vff-6j8j-qhcg
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/commit/952f3247970d261ff93f85c79066192f58f9557e
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/commit/99043600ee881fd8581185e7590604d9882382cd
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471
Scores
CVSS v3
3.3
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-78
Status
published
Products (1)
coollabsio/coolify
< 4.0.0-beta.471
Published
Jul 07, 2026
Tracked Since
Jul 07, 2026