CVE-2026-42143

HIGH

Coolify: OS Command Injection via Persistent Volume Names - Root RCE on Managed Servers

Title source: cna
STIX 2.1

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell commands executed on managed servers without escaping or validation, allowing an authenticated member to inject shell metacharacters and execute commands as root when volume operations are triggered. This issue appears to be fixed in version 4.0.0-beta.471.

Scores

CVSS v3 8.8
EPSS 0.0043
EPSS Percentile 35.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (1)
coollabsio/coolify < 4.0.0-beta.471
Published Jul 07, 2026
Tracked Since Jul 07, 2026