Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, DatabaseBackupJob interpolates user-controlled database credentials and MongoDB collection exclusion names into backup shell commands without adequate escaping, allowing an authenticated user with database management permissions to execute commands on managed servers. This issue is fixed in version 4.0.0-beta.471.
Published: 2026-07-07
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 07 Jul 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Coollabsio
Coollabsio coolify
Vendors & Products Coollabsio
Coollabsio coolify

Tue, 07 Jul 2026 03:30:00 +0000

Type Values Removed Values Added
Description Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, DatabaseBackupJob interpolates user-controlled database credentials and MongoDB collection exclusion names into backup shell commands without adequate escaping, allowing an authenticated user with database management permissions to execute commands on managed servers. This issue is fixed in version 4.0.0-beta.471.
Title Coolify: Authenticated Host-Level RCE via Unescaped Database Credentials in Backup Jobs
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N'}


Subscriptions

Coollabsio Coolify
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-07T14:07:09.741Z

Reserved: 2026-03-25T20:12:04.196Z

Link: CVE-2026-34149

cve-icon Vulnrichment

Updated: 2026-07-07T14:06:41.702Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T04:45:15Z

Weaknesses