PatchSiren cyber security CVE debrief
CVE-2026-34152 coollabsio CVE debrief
CVE-2026-34152 is a high-severity vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The vulnerability allows an authenticated user to inject additional shell statements that execute on the remote server during deployment. This issue was fixed in version 4.0.0-beta.471. Users should review deployment configurations and access controls. The vulnerability has a high CVSS score of 8.8 and is classified as HIGH severity.
- Vendor
- coollabsio
- Product
- coolify
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of Coolify versions prior to 4.0.0-beta.471 should apply the patch to prevent potential command injection attacks. Operators, security teams, and platform administrators are impacted. They should review and restrict access to deployment commands, monitor for suspicious activity, and verify Coolify version and patch status.
Technical summary
The vulnerability exists in the pre-deployment and post-deployment commands of Coolify, which are single-quote escaped but then sent through SSH heredoc transport that preserves newlines. This allows an authenticated user to inject additional shell statements that execute on the remote server during deployment. Technical impact is command injection. The issue arises from insufficient input validation and sanitization of user-supplied input in the deployment commands.
Defensive priority
High
Recommended defensive actions
- Apply the patch by upgrading to Coolify version 4.0.0-beta.471 or later
- Review and restrict access to deployment commands
- Monitor for suspicious activity on the deployment server
- Review compensating controls for exposed systems
- Check relevant monitoring, detection, and logs for exposed assets
- Track exceptions and retest remediated assets
- Verify Coolify version and patch status with limited source information
Evidence notes
The CVE record was published on 2026-07-07T04:17:50.043Z and last modified on 2026-07-07T13:22:13.557Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD details. Defenders should verify Coolify version and patch status with limited source information. Limited source information suggests that the vulnerability is fixed in version 4.0.0-beta.471.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T04:17:50.043Z and has not been modified since then. The NVD entry is currently Deferred.