← back
CVE-2026-34038

Coolify authenticated remote command injection leading to RCE and secret exfiltration

CVSS 9.9 CRITICALEPSS 2.5%CWE-78
Vexday Risk Score
48Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Popular PoC on GitHub (1 stars) — exploitation code widely available.
CVSS 9.9EPSS 2.5%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
04 Jul 2026Public PoC
06 Jul 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allows users with application write permissions to achieve remote code execution and exfiltrate sensitive environment variables through deployment logs via fields such as dockerfile_location and deployment commands. This issue is fixed in version 4.0.0-beta.469.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
coollabsio · coolify
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.