PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34035 coollabsio CVE debrief

CVE-2026-34035 is a high-severity vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The vulnerability allows an authenticated user to inject commands executed on the host due to insufficient encoding of log drain secret and environment values into shell commands. This issue was fixed in version 4.0.0-beta.466. Affected deployments should be updated to prevent command injection attacks.

Vendor
coollabsio
Product
coolify
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Coolify versions prior to 4.0.0-beta.466 should apply the patch to prevent command injection attacks. Administrators of servers and applications managed through Coolify should verify their inventory and ensure the updated version is deployed. Security teams and vulnerability management teams should review and prioritize updates for affected deployments.

Technical summary

The vulnerability exists in Coolify's handling of log drain secret and environment values. Prior to version 4.0.0-beta.466, these values were interpolated into shell commands without sufficient encoding, allowing an authenticated user to inject commands. The CVSS score for this vulnerability is 8.8, indicating a high severity. The vulnerability is classified under CWE-78. Affected deployments should be updated to version 4.0.0-beta.466 or later.

Defensive priority

High priority should be given to updating Coolify to version 4.0.0-beta.466 or later. Administrators should verify that their deployments are using the patched version and monitor for any suspicious activity.

Recommended defensive actions

  • Update Coolify to version 4.0.0-beta.466 or later
  • Verify inventory of servers and applications managed through Coolify
  • Monitor for suspicious activity
  • Restrict access to authenticated users
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-07T04:17:47.873Z and last modified on 2026-07-07T14:16:29.983Z. The NVD entry is currently Deferred. The vulnerability was fixed in version 4.0.0-beta.466. Evidence is limited, and defenders should verify Coolify deployments and review official advisories for affected scope and severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T04:17:47.873Z and has not been modified since then. The NVD entry is currently Deferred.