ctipilot.ch

CVE-2026-34038 — Coolify authenticated command injection to RCE (CVSS 9.9)

cve · CVE-2026-34038

Coverage timeline
1
first 2026-07-03 → last 2026-07-03
Briefs
1
1 distinct
Sources cited
2
2 hosts
Sections touched
1
trending_vulns
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-07-03CTI Daily Brief — 2026-07-03
    trending_vulnsFirst coverage: CWE-78 in ApplicationDeploymentJob.php via dockerfile_location/pre_deployment_command; write-perm RCE + secrets exfil; permission-bypass; fixed >=v4.0.0-beta.469; BSI WID-SEC-2026-2182; no ITW.

Where this entity is cited

  • trending_vulns1

Source distribution

  • github.com1 (50%)
  • wid.cert-bund.de1 (50%)

Related entities

Items in briefs about CVE-2026-34038 — Coolify authenticated command injection to RCE (CVSS 9.9) (1)

CVE-2026-34038 — Coolify: authenticated command injection to RCE and secrets exfiltration (CVSS 9.9)

From CTI Daily Brief — 2026-07-03 · published 2026-07-03 · view item permalink →

Coolify — a widely used open-source self-hosted PaaS / deployment platform (a Heroku/Vercel alternative for organizations running their own CI/CD-to-production pipelines) — fixed a CWE-78 OS command-injection flaw (CVSS 3.1 9.9, AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) in ApplicationDeploymentJob.php. The dockerfile_location and pre_deployment_command deployment parameters are passed to a shell without escaping, letting a user with only application "write" permission inject arbitrary OS commands (via ;, &&, backticks) that execute on the underlying host during a deployment; because deployment logs capture command output, exploitation also exfiltrates the application's configured environment secrets (coollabsio GHSA-qqrq-r9h4-x6wp, 2026-07-02). The vendor advisory notes a separate permission-bypass means the attacker does not need explicit "deploy" rights — broad "write" access is enough. BSI CERT-Bund published WID-SEC-2026-2182 the same day citing the GHSA as origin (BSI CERT-Bund, 2026-07-01). Fixed in ≥ v4.0.0-beta.469; ≤ v4.0.0-beta.462 are affected. No in-the-wild exploitation is reported by the vendor or BSI, and the CVE is not yet NVD-enriched. Detection: audit deployment-job logs for shell metacharacters in dockerfile_location/pre_deployment_command submitted by non-admin write-scoped accounts, and flag unexpected child processes off the PHP-FPM/queue-worker tree during a deployment (T1059 / T1190). Hardening: patch, restrict "write" grants to trusted users, and rotate any secrets referenced in deployment env vars that were reachable before patching.