PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42204 coollabsio CVE debrief

A high-severity vulnerability exists in Coolify versions 4.0.0-beta.471 through 4.0.0-beta.473 due to a regression in SHELL_SAFE_COMMAND_PATTERN. This allows an authenticated team member to inject shell commands that execute on the host. The issue is fixed in version 4.0.0-beta.474. Teams using affected versions should verify their inventory and apply the fix. The vulnerability has a CVSS score of 8.8 and is considered High priority.

Vendor
coollabsio
Product
coolify
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Teams using Coolify versions 4.0.0-beta.471 through 4.0.0-beta.473 should verify their inventory and apply version 4.0.0-beta.474 or later. Security teams and operators managing Coolify deployments should review the vulnerability and implement compensating controls if necessary. Monitoring for suspicious activity and implementing asset inventory management are also recommended.

Technical summary

A regression in SHELL_SAFE_COMMAND_PATTERN in Coolify versions 4.0.0-beta.471 through 4.0.0-beta.473 allowed ampersands in custom Docker Compose build, start, and pre/post-deployment command fields. This enabled an authenticated team member to inject shell commands that execute on the host. The issue is fixed in version 4.0.0-beta.474. Users should review and restrict command injection vulnerabilities in custom Docker Compose fields.

Defensive priority

High priority due to CVSS score of 8.8 and potential for command injection.

Recommended defensive actions

  • Verify Coolify version and upgrade to 4.0.0-beta.474 or later if necessary
  • Review and restrict command injection vulnerabilities in custom Docker Compose fields
  • Monitor for suspicious activity and implement compensating controls
  • Review affected scope and severity with the vendor
  • Check relevant monitoring, detection, and logs for exposed assets
  • Track exceptions and retest remediated assets
  • Implement source tracking for vulnerability management

Evidence notes

Evidence from official CVE and NVD sources indicate a high-severity vulnerability in Coolify, with limited details on exploitability and affected scope. Defenders should verify Coolify version and upgrade to 4.0.0-beta.474 or later if necessary. Limited source information exists on potential attack vectors and impacted components. Further review of custom Docker Compose fields and monitoring for suspicious activity is recommended.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T22:16:49.510Z and has not been modified since then.