PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42200 coollabsio CVE debrief

CVE-2026-42200 is a high-severity vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. The vulnerability exists in the PostgreSQL initialization script, specifically in the generate_init_scripts() method in app/Actions/Database/StartPostgresql.php. The script's filename handling did not sufficiently restrict paths, allowing an authenticated user to write files outside the intended directory and achieve command execution through database initialization. This issue was fixed in version 4.0.0-beta.474. The CVE record was published on 2026-07-07T04:17:52.923Z and has not been modified since then. The NVD entry is currently Deferred.

Vendor
coollabsio
Product
coolify
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Coolify, especially those who have not upgraded to version 4.0.0-beta.474 or later, should be aware of this vulnerability and take necessary precautions to prevent exploitation. Operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability details and plan for remediation.

Technical summary

The vulnerability in Coolify's PostgreSQL initialization script allows an authenticated user to write files outside the intended directory, leading to command execution through database initialization. The issue arises from insufficient path restriction in the filename handling of the generate_init_scripts() method in app/Actions/Database/StartPostgresql.php. This vulnerability has a CVSS score of 8.8 and is classified as HIGH severity. The vulnerability was fixed in version 4.0.0-beta.474.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Coolify version 4.0.0-beta.474 or later
  • Restrict access to the PostgreSQL initialization script
  • Monitor for suspicious activity related to database initialization
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-07T04:17:52.923Z and last modified on 2026-07-07T13:22:13.557Z. The NVD entry is currently Deferred. Evidence is limited, and defenders should verify affected scope and vendor guidance. No additional information is available beyond the CVE record and NVD entry.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T04:17:52.923Z and has not been modified since then. The NVD entry is currently Deferred.