Critical (9.9)

Coolify RCE leaks secrets (CVE-2026-34038) [PoC]

CVE-2026-34038

CVE-2026-34038 is a critical authenticated RCE in Coolify prior to 4.0.0-beta.469 that leaks environment variables. Update to 4.0.0-beta.469.

Exploitation confirmed - public proof-of-concept - CVE-2026-34038 is a critical remote command injection in Coolify prior to 4.0.0-beta.469 that lets authenticated users with application write permissions execute arbitrary commands and exfiltrate sensitive environment variables via deployment logs. Patched in 4.0.0-beta.469; update immediately.

Overview

CVE-2026-34038 is a critical (CVSS 9.9) vulnerability in Coolify, an open-source platform for self-hosted server, application, and database management. The flaw resides in how Coolify handles application deployment fields such as dockerfile_location and deployment commands. An authenticated attacker with application write permissions can inject arbitrary shell commands during the deployment process, achieving remote code execution (RCE) on the Coolify server.

The injected commands execute in the context of the Coolify application, allowing the attacker to read, modify, or exfiltrate sensitive environment variables that often contain API keys, database credentials, and other secrets. These secrets are then exposed through deployment logs, creating a significant data leakage risk.

Impact

Successful exploitation of CVE-2026-34038 enables an attacker with low-privileged, authenticated access to the Coolify web interface to:

  • Execute arbitrary commands on the Coolify server
  • Exfiltrate environment variables containing sensitive credentials
  • Potentially pivot to other systems using stolen secrets
  • Maintain persistence by modifying deployment configurations

Pre-built Coolify versions 4.0.0-beta.468 and earlier are affected. Docker images and manual installations from source using those versions are vulnerable.

Remediation

Upgrade to Coolify version 4.0.0-beta.469 or later immediately. The fix sanitizes command inputs passed to deployment fields, preventing shell injection. No workarounds are available for earlier versions.

If immediate upgrade is not possible:

  1. Restrict application write permissions to trusted users only
  2. Audit deployment logs for signs of command injection
  3. Rotate any secrets stored in environment variables on affected systems

For official upgrade instructions, refer to the Coolify changelog at Coolify releases.

Security Insight

This vulnerability mirrors a pattern seen in other DevOps tooling (e.g., Jenkins and GitLab CI runners) where deployment configuration fields become injection vectors. Coolify’s pre-4.0.0-beta codebase lacked input sanitization in deployment handlers - a foundational security gap that suggests the project’s earlier release process did not include code review for injection attacks. The severity of CVE-2026-34038 underscores why self-hosted PaaS tools must treat all user-supplied deployment inputs as untrusted. Organizations using Coolify should prioritize cloud-native security scanning for their deployment pipeline.

Further Reading

Share:

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Public PoC References

Unverified third-party code

These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).

Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.

Repository Stars
ThemeHackers/CVE-2026-34038

CVE-2026-34038: Authenticated Remote Command Injection in Coolify

★ 1

Showing 1 of 1 known references. Source: nomi-sec/PoC-in-GitHub.

Related Advisories

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.