PatchSiren cyber security CVE debrief
CVE-2026-34149 coollabsio CVE debrief
CVE-2026-34149 is a command injection vulnerability in Coolify's DatabaseBackupJob feature. Prior to version 4.0.0-beta.471, user-controlled database credentials and MongoDB collection exclusion names are interpolated into backup shell commands without adequate escaping. This allows an authenticated user with database management permissions to execute commands on managed servers. The vulnerability has a low CVSS score of 3.3, but it can still have significant impacts if exploited. Users of Coolify, especially those with database management permissions, should be aware of this vulnerability and take steps to protect themselves.
- Vendor
- coollabsio
- Product
- coolify
- CVSS
- LOW 3.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of Coolify, especially those with database management permissions, should be aware of this vulnerability and take steps to protect themselves. This vulnerability has a low CVSS score of 3.3, but it can still have significant impacts if exploited. Operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability and take necessary actions to protect their systems.
Technical summary
The vulnerability exists in the DatabaseBackupJob feature of Coolify, where user-controlled input is not properly sanitized before being used in shell commands. This allows an attacker to inject malicious commands, potentially leading to unauthorized execution of commands on managed servers. The issue is fixed in version 4.0.0-beta.471. The vulnerability has a low CVSS score of 3.3, but it can still have significant impacts if exploited.
Defensive priority
Low
Recommended defensive actions
- Upgrade to Coolify version 4.0.0-beta.471 or later
- Restrict database management permissions to only those who need them
- Monitor for suspicious activity on managed servers
- Implement additional security controls, such as input validation and sanitization
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-07T04:17:49.800Z and last modified on 2026-07-07T15:16:44.403Z. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The vulnerability exists in Coolify's DatabaseBackupJob feature, where user-controlled input is not properly sanitized before being used in shell commands.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T04:17:49.800Z and has not been modified since then. The NVD entry is currently Deferred.