CVE-2026-34597

HIGH

Coolify: Authenticated Host RCE

Title source: cna
STIX 2.1

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution (RCE) vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for the Nixpacks build pack. Specifically, the install_command provided by a user is directly concatenated into a shell command string that is executed on the deployment host during the building phase. An attacker can leverage this to escape the intended build context and execute arbitrary commands with host-level privileges. This vulnerability is fixed in 4.0.0-beta.470.

References (1)

Core 1
Core References

Scores

CVSS v3 8.8
EPSS 0.0053
EPSS Percentile 40.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (1)
coollabsio/coolify < 4.0.0-beta.470
Published Jun 29, 2026
Tracked Since Jun 30, 2026