PatchSiren cyber security CVE debrief
CVE-2026-34038 coollabsio CVE debrief
CVE-2026-34038 is a critical remote command injection vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The vulnerability exists in the application deployment handling and allows users with application write permissions to achieve remote code execution and exfiltrate sensitive environment variables through deployment logs via fields such as dockerfile_location and deployment commands. This issue is fixed in version 4.0.0-beta.469. Affected deployments should be reviewed for exposure.
- Vendor
- coollabsio
- Product
- coolify
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Users of Coolify versions prior to 4.0.0-beta.469 who have application write permissions should be aware of this vulnerability and take immediate action to upgrade to the patched version. Operators, security teams, and platform administrators should review exposure and implement compensating controls if needed.
Technical summary
The vulnerability is caused by a lack of proper input validation in the application deployment handling of Coolify. Specifically, the dockerfile_location and deployment commands fields do not properly sanitize user input, allowing an authenticated user with application write permissions to inject arbitrary commands. This can lead to remote code execution and the exfiltration of sensitive environment variables through deployment logs. Defenders should focus on upgrading to the patched version.
Defensive priority
High
Recommended defensive actions
- Upgrade to Coolify version 4.0.0-beta.469 or later
- Restrict application write permissions to only trusted users
- Monitor deployment logs for suspicious activity
- Implement additional security controls, such as input validation and sanitization
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-06T21:16:55.370Z and was last modified on 2026-07-07T13:22:13.557Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD details. Defenders should verify Coolify version and user permissions.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T21:16:55.370Z and has not been modified since then. The NVD entry is currently Deferred.