CVE-2026-34038
Coolify authenticated remote command injection leading to RCE and secret exfiltration
Vexday Risk Score
48Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Popular PoC on GitHub (1 stars) — exploitation code widely available.
CVSS 9.9EPSS 2.5%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
04 Jul 2026Public PoC
06 Jul 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allows users with application write permissions to achieve remote code execution and exfiltrate sensitive environment variables through deployment logs via fields such as dockerfile_location and deployment commands. This issue is fixed in version 4.0.0-beta.469.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
coollabsio · coolifypublic PoCs found — 1
githubgithub.com/ThemeHackers/CVE-2026-34038★ 1⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.