PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34038 coollabsio CVE debrief

CVE-2026-34038 is a critical remote command injection vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The vulnerability exists in the application deployment handling and allows users with application write permissions to achieve remote code execution and exfiltrate sensitive environment variables through deployment logs via fields such as dockerfile_location and deployment commands. This issue is fixed in version 4.0.0-beta.469. Affected deployments should be reviewed for exposure.

Vendor
coollabsio
Product
coolify
CVSS
CRITICAL 9.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Users of Coolify versions prior to 4.0.0-beta.469 who have application write permissions should be aware of this vulnerability and take immediate action to upgrade to the patched version. Operators, security teams, and platform administrators should review exposure and implement compensating controls if needed.

Technical summary

The vulnerability is caused by a lack of proper input validation in the application deployment handling of Coolify. Specifically, the dockerfile_location and deployment commands fields do not properly sanitize user input, allowing an authenticated user with application write permissions to inject arbitrary commands. This can lead to remote code execution and the exfiltration of sensitive environment variables through deployment logs. Defenders should focus on upgrading to the patched version.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Coolify version 4.0.0-beta.469 or later
  • Restrict application write permissions to only trusted users
  • Monitor deployment logs for suspicious activity
  • Implement additional security controls, such as input validation and sanitization
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-06T21:16:55.370Z and was last modified on 2026-07-07T13:22:13.557Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD details. Defenders should verify Coolify version and user permissions.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T21:16:55.370Z and has not been modified since then. The NVD entry is currently Deferred.