ctipilot.ch

Home · Briefs · CTI Daily Brief — 2026-07-03

CVE-2026-34038 — Coolify: authenticated command injection to RCE and secrets exfiltration (CVSS 9.9)

From CTI Daily Brief — 2026-07-03 · published 2026-07-03

Coolify — a widely used open-source self-hosted PaaS / deployment platform (a Heroku/Vercel alternative for organizations running their own CI/CD-to-production pipelines) — fixed a CWE-78 OS command-injection flaw (CVSS 3.1 9.9, AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) in ApplicationDeploymentJob.php. The dockerfile_location and pre_deployment_command deployment parameters are passed to a shell without escaping, letting a user with only application "write" permission inject arbitrary OS commands (via ;, &&, backticks) that execute on the underlying host during a deployment; because deployment logs capture command output, exploitation also exfiltrates the application's configured environment secrets (coollabsio GHSA-qqrq-r9h4-x6wp, 2026-07-02). The vendor advisory notes a separate permission-bypass means the attacker does not need explicit "deploy" rights — broad "write" access is enough. BSI CERT-Bund published WID-SEC-2026-2182 the same day citing the GHSA as origin (BSI CERT-Bund, 2026-07-01). Fixed in ≥ v4.0.0-beta.469; ≤ v4.0.0-beta.462 are affected. No in-the-wild exploitation is reported by the vendor or BSI, and the CVE is not yet NVD-enriched. Detection: audit deployment-job logs for shell metacharacters in dockerfile_location/pre_deployment_command submitted by non-admin write-scoped accounts, and flag unexpected child processes off the PHP-FPM/queue-worker tree during a deployment (T1059 / T1190). Hardening: patch, restrict "write" grants to trusted users, and rotate any secrets referenced in deployment env vars that were reachable before patching.