CVE-2026-34153 Overview
Coolify is an open-source, self-hostable platform for managing servers, applications, and databases. A command injection vulnerability [CWE-78] affects Coolify versions prior to 4.0.0-beta.471. The LocalFileVolume::saveStorageOnServer function builds shell commands using unescaped fs_path and parent_dir values before validation occurs. Additionally, submitFileStorage fails to validate the user-controlled file-mount path before creating a volume. An authenticated user with permission to add file storage can inject shell commands that execute when the storage is saved on the underlying server.
Critical Impact
Authenticated attackers can achieve arbitrary command execution on the Coolify host, leading to full compromise of managed servers, applications, and databases.
Affected Products
- Coolify versions prior to 4.0.0-beta.471
- Self-hosted Coolify deployments exposing the file storage feature to authenticated users
- Coolify API endpoints handling database and service file volumes
Discovery Timeline
- 2026-07-06 - CVE-2026-34153 published to NVD
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-34153
Vulnerability Analysis
The vulnerability resides in Coolify's file volume handling logic. The LocalFileVolume::saveStorageOnServer method constructs shell commands by concatenating user-supplied fs_path and parent_dir values directly into command strings. Escaping and validation occur after command construction, which permits shell metacharacters to alter command semantics.
A parallel weakness exists in submitFileStorage, which accepts a user-controlled file-mount path without validating its structure or contents before creating the volume. Any authenticated user with rights to add file storage on a resource can trigger the flaw.
Once injected, commands run in the context of the Coolify server process. This process manages Docker resources and orchestrates deployments, so command execution typically yields access to container secrets, environment variables, and connected infrastructure.
Root Cause
The root cause is improper neutralization of special elements used in an OS command [CWE-78]. Coolify built shell strings from untrusted input and deferred validation until after the command was assembled, defeating the intended sanitization step.
Attack Vector
Exploitation requires network access to the Coolify API and valid credentials with permission to add file storage to a service or database. The attacker submits a crafted file_storage_path value containing shell metacharacters such as ;, |, $(), or backticks. When Coolify saves the storage entry to the target server, the injected command executes.
// Security patch excerpt - app/Http/Controllers/Api/DatabasesController.php
// fix(storage): consistent path validation and escaping for file volumes
// this check if the request is a valid json
$return = validateIncomingRequest($request);
- if ($return instanceof \Illuminate\Http\JsonResponse) {
+ if ($return instanceof JsonResponse) {
return $return;
}
$validator = customApiValidator($request->all(), [
Source: GitHub Commit 3fdce06
// Security patch excerpt - app/Http/Controllers/Api/ServicesController.php
// fix(storage): consistent path validation and escaping for file volumes
$this->authorize('create', Service::class);
$return = validateIncomingRequest($request);
- if ($return instanceof \Illuminate\Http\JsonResponse) {
+ if ($return instanceof JsonResponse) {
return $return;
}
$validationRules = [
Source: GitHub Commit 3fdce06
Detection Methods for CVE-2026-34153
Indicators of Compromise
- Coolify API requests to file storage endpoints containing shell metacharacters such as ;, |, &&, $(), or backticks in file_storage_path fields
- Unexpected child processes spawned by the Coolify PHP or worker process, particularly sh, bash, curl, wget, or nc
- Outbound network connections from the Coolify host to attacker-controlled infrastructure following file volume creation events
- New or modified files under paths referenced by fs_path or parent_dir that were not part of a legitimate deployment
Detection Strategies
- Inspect Coolify application logs for saveStorageOnServer and submitFileStorage invocations with anomalous path values
- Enable process auditing on the Coolify host to record command-line arguments of shell processes spawned by the web server user
- Correlate authenticated user activity in Coolify with file storage creation events and subsequent server-side command executions
- Deploy runtime behavioral monitoring on the Coolify host to identify command injection patterns in shell process trees
Monitoring Recommendations
- Forward Coolify web and worker logs to a centralized SIEM with alerting on suspicious characters in storage-related API parameters
- Monitor Docker socket activity and container creation events triggered by the Coolify service account
- Track outbound DNS and HTTP traffic from the Coolify host and flag connections to unrecognized destinations
- Alert on any modification of Coolify user roles or creation of new administrative accounts
How to Mitigate CVE-2026-34153
Immediate Actions Required
- Upgrade Coolify to version 4.0.0-beta.471 or later without delay
- Audit the list of users authorized to add file storage and revoke access from accounts that do not require it
- Review recent file storage creation events and inspect associated fs_path values for signs of injection attempts
- Rotate credentials, API tokens, and secrets managed by the Coolify instance if compromise is suspected
Patch Information
The issue is fixed in Coolify 4.0.0-beta.471. The patch introduces consistent path validation and escaping for file volumes across DatabasesController and ServicesController, and validates the file-mount path before storage creation. See the GitHub Security Advisory GHSA-46hp-7m8g-7622 and the GitHub Pull Request Discussion for the complete change set.
Workarounds
- Restrict Coolify API and web console access to trusted networks using firewall rules or a VPN until patching is complete
- Limit file storage creation permissions to a minimal set of administrative users
- Place the Coolify instance behind a reverse proxy that enforces authentication and inspects request payloads for shell metacharacters
- Run Coolify under a dedicated, least-privileged system account to reduce blast radius if command execution occurs
# Upgrade Coolify to the patched release
curl -fsSL https://cdn.coollabs.io/coolify/install.sh -o install.sh
sudo bash ./install.sh
# Verify installed version meets or exceeds the fixed release
docker inspect coolify --format '{{.Config.Image}}'
# Expected: coollabsio/coolify:4.0.0-beta.471 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

