PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34149 coollabsio CVE debrief

CVE-2026-34149 is a command injection vulnerability in Coolify's DatabaseBackupJob feature. Prior to version 4.0.0-beta.471, user-controlled database credentials and MongoDB collection exclusion names are interpolated into backup shell commands without adequate escaping. This allows an authenticated user with database management permissions to execute commands on managed servers. The vulnerability has a low CVSS score of 3.3, but it can still have significant impacts if exploited. Users of Coolify, especially those with database management permissions, should be aware of this vulnerability and take steps to protect themselves.

Vendor
coollabsio
Product
coolify
CVSS
LOW 3.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Coolify, especially those with database management permissions, should be aware of this vulnerability and take steps to protect themselves. This vulnerability has a low CVSS score of 3.3, but it can still have significant impacts if exploited. Operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability and take necessary actions to protect their systems.

Technical summary

The vulnerability exists in the DatabaseBackupJob feature of Coolify, where user-controlled input is not properly sanitized before being used in shell commands. This allows an attacker to inject malicious commands, potentially leading to unauthorized execution of commands on managed servers. The issue is fixed in version 4.0.0-beta.471. The vulnerability has a low CVSS score of 3.3, but it can still have significant impacts if exploited.

Defensive priority

Low

Recommended defensive actions

  • Upgrade to Coolify version 4.0.0-beta.471 or later
  • Restrict database management permissions to only those who need them
  • Monitor for suspicious activity on managed servers
  • Implement additional security controls, such as input validation and sanitization
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-07T04:17:49.800Z and last modified on 2026-07-07T15:16:44.403Z. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The vulnerability exists in Coolify's DatabaseBackupJob feature, where user-controlled input is not properly sanitized before being used in shell commands.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T04:17:49.800Z and has not been modified since then. The NVD entry is currently Deferred.