Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42201

CVE-2026-42201: Coolify Database Credential RCE Vulnerability

CVE-2026-42201 is a remote code execution vulnerability in Coolify caused by unsafe database credential handling. Attackers can inject malicious commands through credential fields. This article covers technical details, affected versions, and fixes.

Published:

CVE-2026-42201 Overview

Coolify is an open-source, self-hostable platform for managing servers, applications, and databases. Versions prior to 4.0.0-beta.474 contain a command injection flaw [CWE-78] in database credential handling. The API layer validates fields such as redis_password, keydb_password, dragonfly_password, clickhouse_admin_user, clickhouse_admin_password, postgres_user, and mysql_user only as generic strings. Coolify interpolates these values directly into Docker Compose YAML command: strings without shell escaping. An authenticated user with high privileges can inject shell metacharacters into these fields. The maintainers fixed the issue in version 4.0.0-beta.474.

Critical Impact

Authenticated high-privilege users can inject shell commands through database credential fields that Coolify passes unescaped into Docker Compose command strings.

Affected Products

  • Coolify versions prior to 4.0.0-beta.474
  • Coolify self-hosted deployments managing MySQL, PostgreSQL, Redis, KeyDB, DragonflyDB, and ClickHouse databases
  • Coolify MongoDB database provisioning workflows

Discovery Timeline

  • 2026-07-07 - CVE-2026-42201 published to NVD
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2026-42201

Vulnerability Analysis

The flaw resides in Coolify's database provisioning actions, where credential fields flow from the API into shell commands and Docker Compose YAML without sanitization. Because Coolify constructs Docker Compose command: strings by direct string interpolation, any shell metacharacter placed inside a credential field becomes part of the executed command. The API layer type-checks these values as strings but performs no shell-safety validation.

The attack requires authenticated access with permission to create or modify database resources. Successful injection leads to command execution in the Coolify server context, which manages Docker containers and host-level operations.

Root Cause

Coolify treated user-controlled credentials as trusted string data and concatenated them into shell command strings and YAML manifests. There was no call to escapeshellarg(), no JSON encoding for JavaScript initialization scripts, and no allow-list validation for credential characters. This is a classic [CWE-78] OS Command Injection pattern where structured data crosses into a shell context without a proper escaping boundary.

Attack Vector

An authenticated user with database management privileges submits a credential value containing shell metacharacters such as "; command; #. When Coolify starts the database container, the injected payload executes on the host running the Coolify orchestration service. The fix introduces credential format validation and applies escapeshellarg() and json_encode() at the interpolation boundary.

php
// Patch excerpt: app/Actions/Database/StartMongodb.php
// Before: raw interpolation of credentials into a JS initialization script
// $content = "db = db.getSiblingDB(\"{$this->database->mongo_initdb_database}\"); ...

// After: JSON-encode each user-controlled value to neutralize quotes and metacharacters
$dbJson   = json_encode($this->database->mongo_initdb_database, JSON_UNESCAPED_SLASHES);
$userJson = json_encode($this->database->mongo_initdb_root_username, JSON_UNESCAPED_SLASHES);
$pwdJson  = json_encode($this->database->mongo_initdb_root_password, JSON_UNESCAPED_SLASHES);
$content  = "db = db.getSiblingDB({$dbJson});"
          . "db.createCollection('init_collection');"
          . "db.createUser({user: {$userJson}, pwd: {$pwdJson},"
          . " roles: [{role:\"readWrite\",db:{$dbJson}}]});";

// Patch excerpt: app/Actions/Database/StartMysql.php
// Before: chown {$this->database->mysql_user}:{$this->database->mysql_user} ...
// After: escape the username before shell interpolation
$mysqlUser = escapeshellarg($this->database->mysql_user);
$this->commands[] = executeInDocker(
    $this->database->uuid,
    "chown {$mysqlUser}:{$mysqlUser} /etc/mysql/certs/server.crt /etc/mysql/certs/server.key"
);

Source: Coolify commit bff6d85

Detection Methods for CVE-2026-42201

Indicators of Compromise

  • Database credential fields containing shell metacharacters such as ;, `, $(, &&, |, or embedded quotes
  • Unexpected child processes spawned by the Coolify PHP worker or Docker Compose invocations
  • Generated docker-compose.yml files where command: values contain unquoted or unusual credential substrings

Detection Strategies

  • Audit Coolify database resource definitions for credential values that deviate from expected character sets (alphanumeric plus a limited symbol set).
  • Review process execution logs on the Coolify host for shell invocations spawned from PHP that include suspicious arguments derived from database records.
  • Compare rendered Docker Compose files against known-good templates and flag deviations in command: blocks.

Monitoring Recommendations

  • Log and alert on modifications to Coolify database entities and correlate them with subsequent shell command execution on the host.
  • Enable Docker daemon and container runtime auditing to capture container start commands and their arguments.
  • Monitor the Coolify application logs for StartMysql, StartMongodb, and related action executions with abnormal parameter values.

How to Mitigate CVE-2026-42201

Immediate Actions Required

  • Upgrade Coolify to version 4.0.0-beta.474 or later, which enforces credential format validation and applies shell and JSON escaping.
  • Rotate all database credentials created or edited before the upgrade, particularly on multi-tenant Coolify instances.
  • Review Coolify user accounts and revoke database management privileges from accounts that do not require them.

Patch Information

The fix is delivered in Coolify release v4.0.0-beta.474 via Pull Request #9676 and commit bff6d85. Full details are published in GitHub Security Advisory GHSA-f35h-g2c2-q36v. The patch adds format validation for credential fields and applies escapeshellarg() and json_encode() at each shell and script interpolation boundary.

Workarounds

  • Restrict Coolify administrative access to trusted operators until the upgrade is deployed.
  • Enforce strict character allow-lists (alphanumeric only) for all database credentials created through the Coolify UI or API.
  • Place the Coolify management interface behind network segmentation and require VPN or bastion access.
bash
# Verify the running Coolify version and upgrade
docker exec coolify php artisan --version

# Pull the fixed release
curl -fsSL https://cdn.coollabs.io/coolify/install.sh \
  | sudo bash -s -- --version v4.0.0-beta.474

# Confirm the fix is present in the container start actions
grep -R "escapeshellarg\|json_encode" \
  /var/www/html/app/Actions/Database/ | head

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.