PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34152 coollabsio CVE debrief

CVE-2026-34152 is a high-severity vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The vulnerability allows an authenticated user to inject additional shell statements that execute on the remote server during deployment. This issue was fixed in version 4.0.0-beta.471. Users should review deployment configurations and access controls. The vulnerability has a high CVSS score of 8.8 and is classified as HIGH severity.

Vendor
coollabsio
Product
coolify
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Coolify versions prior to 4.0.0-beta.471 should apply the patch to prevent potential command injection attacks. Operators, security teams, and platform administrators are impacted. They should review and restrict access to deployment commands, monitor for suspicious activity, and verify Coolify version and patch status.

Technical summary

The vulnerability exists in the pre-deployment and post-deployment commands of Coolify, which are single-quote escaped but then sent through SSH heredoc transport that preserves newlines. This allows an authenticated user to inject additional shell statements that execute on the remote server during deployment. Technical impact is command injection. The issue arises from insufficient input validation and sanitization of user-supplied input in the deployment commands.

Defensive priority

High

Recommended defensive actions

  • Apply the patch by upgrading to Coolify version 4.0.0-beta.471 or later
  • Review and restrict access to deployment commands
  • Monitor for suspicious activity on the deployment server
  • Review compensating controls for exposed systems
  • Check relevant monitoring, detection, and logs for exposed assets
  • Track exceptions and retest remediated assets
  • Verify Coolify version and patch status with limited source information

Evidence notes

The CVE record was published on 2026-07-07T04:17:50.043Z and last modified on 2026-07-07T13:22:13.557Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD details. Defenders should verify Coolify version and patch status with limited source information. Limited source information suggests that the vulnerability is fixed in version 4.0.0-beta.471.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T04:17:50.043Z and has not been modified since then. The NVD entry is currently Deferred.