Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42204

CVE-2026-42204: Coolify Command Injection RCE Vulnerability

CVE-2026-42204 is a command injection RCE flaw in Coolify that allows authenticated team members to execute arbitrary shell commands on the host. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-42204 Overview

Coolify is an open-source, self-hostable platform for managing servers, applications, and databases. CVE-2026-42204 is a command injection vulnerability [CWE-78] affecting Coolify versions 4.0.0-beta.471 through 4.0.0-beta.473. A regression in the SHELL_SAFE_COMMAND_PATTERN validation regex allowed ampersand characters to pass input filtering. Authenticated team members could inject shell metacharacters into custom Docker Compose build, start, and pre/post-deployment command fields. The injected commands execute on the underlying host during deployment operations. The issue was resolved in version 4.0.0-beta.474.

Critical Impact

An authenticated team member can achieve arbitrary shell command execution on the Coolify host, compromising confidentiality, integrity, and availability of all managed servers and applications.

Affected Products

  • Coolify 4.0.0-beta.471
  • Coolify 4.0.0-beta.472
  • Coolify 4.0.0-beta.473

Discovery Timeline

  • 2026-07-06 - CVE-2026-42204 published to NVD
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2026-42204

Vulnerability Analysis

Coolify validates user-supplied Docker command strings using a regular expression constant named SHELL_SAFE_COMMAND_PATTERN defined in app/Support/ValidationPatterns.php. The regex was designed to block shell metacharacters such as ;, |, `, $, (, ), <, >, backslashes, and newlines while allowing & so that legitimate && command chaining (common in multi-step Docker builds) could pass validation.

The pattern permitted any occurrence of & rather than only the && sequence. A single bare & acts as a background operator in POSIX shells, effectively splitting a command line into independently executed statements. An authenticated user with permission to edit a project could enter a Docker Compose custom build, start, or pre/post-deployment command containing & followed by attacker-chosen shell payloads. Coolify then passed the string to the shell during deployment, executing the injected commands with the privileges of the Coolify runtime.

Root Cause

The root cause is an over-permissive character class in the validation regex. The original pattern /^[a-zA-Z0-9 \t._\-\/=:@,+\[\]{}#%^~&\"\']+$/ treated & as a permitted character in any position. Because the regex operated on a character-set basis rather than tokenizing the command string, it could not distinguish between the safe && operator and the dangerous bare &. This is a classic instance of blocklist/allowlist regex bypass in OS command construction [CWE-78].

Attack Vector

Exploitation requires an authenticated Coolify account with team-member privileges to edit an application's build configuration. The attacker submits a Docker Compose custom command containing & followed by arbitrary shell code. When deployment is triggered, Coolify passes the command to the shell on the host. Because the attack vector is network-accessible and requires only low-privilege authentication, any compromised or malicious team account becomes a path to host takeover.

php
// Vulnerable pattern (pre-patch) — bare & permitted
public const SHELL_SAFE_COMMAND_PATTERN = '/^[a-zA-Z0-9 \t._\-\/=:@,+\[\]{}#%^~&"\']+$/';

// Patched pattern — token-aware, only && and || permitted; bare & blocked
// Accepts sequences of: whitespace, &&, ||, balanced quoted strings, or safe unquoted chars
// Blocks: bare &, bare |, ;, $, `, (, ), <, >, \, newline, CR

Source: GitHub Commit e1aac50

Detection Methods for CVE-2026-42204

Indicators of Compromise

  • Unexpected child processes spawned by the Coolify PHP or Docker runtime processes on the host.
  • Docker Compose build, start, or pre/post-deployment command fields containing bare & characters followed by additional command tokens.
  • Outbound network connections initiated by the Coolify host to unfamiliar destinations shortly after deployment events.
  • New user accounts, SSH keys, or scheduled tasks created on the Coolify host without administrative action.

Detection Strategies

  • Audit application records in the Coolify database for stored dockerComposeCustomBuildCommand, dockerComposeCustomStartCommand, preDeploymentCommand, and postDeploymentCommand values containing suspicious shell syntax.
  • Enable process-lineage logging on the Coolify host and alert when the Coolify service spawns interpreters such as sh, bash, curl, wget, or nc.
  • Review application edit and deployment events in Coolify audit logs for team members who modified command fields between beta.471 and beta.473.

Monitoring Recommendations

  • Forward host process and command-line telemetry to a centralized data lake for retrospective hunting across the beta.471-beta.473 exposure window.
  • Baseline expected Docker build commands per project and alert on deviations, particularly commands containing &, ;, or backtick characters.
  • Monitor Coolify host filesystem for new binaries and modifications to ~/.ssh/authorized_keys, cron directories, and /etc/systemd/system/.

How to Mitigate CVE-2026-42204

Immediate Actions Required

  • Upgrade Coolify to version 4.0.0-beta.474 or later, which replaces the character-class regex with a token-aware validator.
  • Rotate credentials, API tokens, and SSH keys stored on or accessible from the Coolify host if the instance ran an affected version.
  • Review team-member accounts and revoke access for any users who should not retain application-edit permissions.
  • Inspect all stored Docker Compose custom commands and remediate entries containing unexpected shell metacharacters.

Patch Information

The fix is delivered in Coolify v4.0.0-beta.474 via Pull Request #9684. The patch replaces SHELL_SAFE_COMMAND_PATTERN with a tokenized regex that explicitly matches && and || as complete operators, balanced single and double-quoted strings, and safe unquoted characters. Bare &, bare |, ;, $, backtick, parentheses, redirection operators, backslashes, and newlines are blocked. See the GitHub Security Advisory GHSA-chg4-63hm-xv9x for full details.

Workarounds

  • Restrict Coolify team membership to trusted operators until the patch is applied, treating team-member access as equivalent to shell access on the host.
  • Disable use of Docker Compose custom build, start, and pre/post-deployment command fields where operationally feasible.
  • Run Coolify with the least privilege necessary and isolate the host from sensitive internal networks to contain post-exploitation impact.
bash
# Verify installed Coolify version and upgrade
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash
# Confirm version is >= 4.0.0-beta.474
docker inspect coolify --format '{{.Config.Image}}'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.