CVE-2026-42143
HIGHCoolify: OS Command Injection via Persistent Volume Names - Root RCE on Managed Servers
Title source: cnaDescription
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell commands executed on managed servers without escaping or validation, allowing an authenticated member to inject shell metacharacters and execute commands as root when volume operations are triggered. This issue appears to be fixed in version 4.0.0-beta.471.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/coollabsio/coolify/security/advisories/GHSA-6pmw-6m96-4v4m
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/commit/d2064dd4998694cda2eabd00149f7c4d1e94c699
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471
Scores
CVSS v3
8.8
EPSS
0.0043
EPSS Percentile
35.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
coollabsio/coolify
< 4.0.0-beta.471
Published
Jul 07, 2026
Tracked Since
Jul 07, 2026