CVE-2026-34152 Overview
CVE-2026-34152 is a command injection vulnerability in Coolify, an open-source and self-hostable platform for managing servers, applications, and databases. The flaw affects pre-deployment and post-deployment commands, which are single-quote escaped but then transported through SSH heredoc that preserves newlines. An authenticated user can inject additional shell statements that execute on the remote server during deployment. The issue is fixed in version 4.0.0-beta.471.
Critical Impact
Authenticated users can execute arbitrary shell commands on remote deployment targets, breaking out of the intended command context and compromising managed servers.
Affected Products
- Coolify versions prior to 4.0.0-beta.471
- Self-hosted Coolify server management deployments
- Coolify-managed remote servers reachable over SSH
Discovery Timeline
- 2026-07-07 - CVE-2026-34152 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-34152
Vulnerability Analysis
Coolify sanitizes user-supplied pre-deployment and post-deployment commands by wrapping them in single quotes. Single-quote escaping alone stops quote-based breakouts inside a single line, but the escaped payload is then sent to the remote host over an SSH heredoc block. Heredoc transport preserves newline characters, so any newline embedded in the user input terminates the current shell statement and starts a new one. The attacker's follow-on statements execute in the deployment shell with the privileges of the remote SSH account. This class of flaw is tracked as OS Command Injection [CWE-78].
Root Cause
The root cause is an inconsistent escaping model between the shell quoting layer and the transport layer. Single-quote escaping assumes a one-line command context, while the SSH heredoc transport treats every newline as a statement separator. Newline characters in the user-controlled command field are neither stripped nor escaped before being placed inside the heredoc, so the quoting boundary is broken as soon as input contains \n.
Attack Vector
The attack requires an authenticated Coolify user with permission to configure an application's pre-deployment or post-deployment hooks. The attacker enters a command that contains a newline followed by arbitrary shell statements. When a deployment runs, Coolify opens an SSH session to the target server, streams the heredoc, and the remote shell executes each line as a separate command. The remote server processes the injected statements with the deployment user's privileges, enabling code execution, credential theft, lateral movement, or persistence on the managed host.
A sanitized example is not published for this advisory. Refer to the GitHub Security Advisory GHSA-5qp8-9gg7-4c86 and the fix commit for the technical patch details.
Detection Methods for CVE-2026-34152
Indicators of Compromise
- Pre-deployment or post-deployment command fields that contain newline characters or unexpected shell metacharacters such as ;, &&, |, or $(...).
- Deployment logs showing shell commands that were not defined in the application configuration.
- Unexpected outbound network connections, new user accounts, or cron entries created on remote servers immediately after a Coolify deployment run.
Detection Strategies
- Audit the Coolify database and application configuration for pre_deployment_command and post_deployment_command values containing \n or shell control operators.
- Correlate Coolify deployment events with remote host process execution logs to identify commands that do not match the configured hooks.
- Monitor SSH sessions originating from the Coolify host for heredoc payloads that spawn unexpected child processes.
Monitoring Recommendations
- Enable and centralize shell auditing (for example auditdexecve records) on all servers managed by Coolify.
- Alert on process creation under the deployment SSH user that falls outside the expected deployment command set.
- Track Coolify user activity logs for changes to deployment hooks and require review of any modification to those fields.
How to Mitigate CVE-2026-34152
Immediate Actions Required
- Upgrade all Coolify instances to version 4.0.0-beta.471 or later without delay.
- Review and reset the pre-deployment and post-deployment command fields of every application to remove attacker-controlled payloads.
- Rotate SSH keys and credentials used by Coolify to reach managed servers if unauthorized deployment hook changes are found.
Patch Information
The vulnerability is fixed in Coolify v4.0.0-beta.471. The fix is implemented in pull request #9173 and commit ad95d65, which changes how deployment commands are encoded before being sent through the SSH heredoc transport so that embedded newlines can no longer terminate the quoted statement.
Workarounds
- Restrict Coolify accounts with permission to edit deployment hooks to a minimal set of trusted administrators until the patch is applied.
- Disable or clear pre-deployment and post-deployment command hooks on production applications until the upgrade is completed.
- Isolate Coolify-managed servers on a segmented network and limit the deployment SSH account to the least privileges required.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

