CVE-2026-34152
HIGHCoolify: Command Injection via Newline in Pre/Post Deployment Commands (Heredoc Transport)
Title source: cnaDescription
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, pre-deployment and post-deployment commands are single-quote escaped but then sent through SSH heredoc transport that preserves newlines, allowing an authenticated user to inject additional shell statements that execute on the remote server during deployment. This issue is fixed in version 4.0.0-beta.471.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/coollabsio/coolify/security/advisories/GHSA-5qp8-9gg7-4c86
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/pull/9173
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/commit/ad95d65aca064f49b38f73f88d61f842737d5463
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471
Scores
CVSS v3
8.8
EPSS
0.0037
EPSS Percentile
29.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (1)
coollabsio/coolify
< 4.0.0-beta.471
Published
Jul 07, 2026
Tracked Since
Jul 07, 2026