Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-34168— Coolify: Command injection via unsanitized persistent storage name in docker volume commands

CVSS 8.8 · High EPSS 0.40% · P32

Possible ATT&CK Techniques 1AI

T1059.004 · Unix Shell

Affected Version Matrix 1

VendorProductVersion RangeStatus
coollabsiocoolify< 4.0.0-beta.471affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-34168

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Coolify: Command injection via unsanitized persistent storage name in docker volume commands
Source: NVD (National Vulnerability Database)
Vulnerability Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the LocalPersistentVolume.name field is interpolated directly into docker volume shell commands without shell argument escaping, allowing an authenticated user to set a storage name containing shell metacharacters and execute commands on managed servers when the resource is deleted. This issue is fixed in version 4.0.0-beta.471.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
coolLabs Coolify 命令注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
coolLabs Coolify是coolLabs团队开源的一个开源和自托管的 Heroku/Netlify/Vercel 替代品。 coolLabs Coolify 4.0.0-beta.471之前版本存在命令注入漏洞,该漏洞源于LocalPersistentVolume.name字段未进行shell参数转义就拼接到docker volume shell命令中,可能导致认证用户设置包含shell元字符的存储名称并在资源删除时在受管服务器上执行命令。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
coollabsiocoolify < 4.0.0-beta.471 -

II. Public POCs for CVE-2026-34168

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 7847 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-34168

登录查看更多情报信息。

Patches & Fixes for CVE-2026-34168 (1)

Vendor Advisories for CVE-2026-34168 (1)

Other References for CVE-2026-34168 (1)

Same Patch Batch · coollabsio · 2026-07-07 · 21 CVEs total

CVE-2026-340479.9 CRITICALCoolify: WebSocket Endpoint Access Control Flaw Leading to Remote Code Execution
CVE-2026-340379.9 CRITICALCross-Tenant Resource Cloning via Broken Object-Level Authorization in cloneTo()
CVE-2026-340489.9 CRITICALCoolify: Missing authorization on terminal websocket bootstrap routes allows low-privilege
CVE-2026-422008.8 HIGHCoolify: PostgreSQL Init Script Path Traversal Leads to Arbitrary File Write and Root RCE
CVE-2026-341588.8 HIGHCoolify: Command injection via single-quote breakout in Docker Compose custom commands
CVE-2026-340348.8 HIGHCoolify: Host RCE via Sentinel token injection
CVE-2026-340588.8 HIGHCoolify: OS Command Injection via Unmanaged Container Operations - Remote Code Execution
CVE-2026-341528.8 HIGHCoolify: Command Injection via Newline in Pre/Post Deployment Commands (Heredoc Transport)
CVE-2026-340358.8 HIGHCoolify: Host RCE via Log Drain secret/env command injection
CVE-2026-340578.8 HIGHCoolify: Authenticated Remote Code Execution via Command Injection in Database Import Cont
CVE-2026-421438.8 HIGHCoolify: OS Command Injection via Persistent Volume Names - Root RCE on Managed Servers
CVE-2026-341718.0 HIGHCoolify: Account takeover via CSRF-able GET endpoint that resets password to attacker-know
CVE-2026-340447.7 HIGHCoolify: Cross-team IDOR in logs component (resource lookup not team-scoped)
CVE-2026-341985.3 MEDIUMCoolify: Password reset link poisoning via X-Forwarded-Host header spoofing
CVE-2026-421474.9 MEDIUMCoolify: SSRF via S3 Storage Endpoint in testConnection()
CVE-2026-341704.3 MEDIUMCoolify: Server-Side Request Forgery via attacker-controlled GitHub App API URL
CVE-2026-341493.3 LOWCoolify: Authenticated Host-Level RCE via Unescaped Database Credentials in Backup Jobs
CVE-2026-422013.3 LOWCoolify: OS Command Injection via Database Credential Fields in Docker Compose Service Com
CVE-2026-421453.1 LOWCoolify: File Upload Without Type or Size Validation in Database Backup Restore
CVE-2026-421723.1 LOWCoolify: Sanctum API Tokens Have No Expiration — Leaked Tokens Grant Permanent Access

IV. Related Vulnerabilities

V. Comments for CVE-2026-34168

No comments yet


Leave a comment