Coolify RCE leaks secrets (CVE-2026-34038) [PoC]
CVE-2026-34038
CVE-2026-34038 is a critical authenticated RCE in Coolify prior to 4.0.0-beta.469 that leaks environment variables. Update to 4.0.0-beta.469.
Exploitation confirmed - public proof-of-concept - CVE-2026-34038 is a critical remote command injection in Coolify prior to 4.0.0-beta.469 that lets authenticated users with application write permissions execute arbitrary commands and exfiltrate sensitive environment variables via deployment logs. Patched in 4.0.0-beta.469; update immediately.
Overview
CVE-2026-34038 is a critical (CVSS 9.9) vulnerability in Coolify, an open-source platform for self-hosted server, application, and database management. The flaw resides in how Coolify handles application deployment fields such as dockerfile_location and deployment commands. An authenticated attacker with application write permissions can inject arbitrary shell commands during the deployment process, achieving remote code execution (RCE) on the Coolify server.
The injected commands execute in the context of the Coolify application, allowing the attacker to read, modify, or exfiltrate sensitive environment variables that often contain API keys, database credentials, and other secrets. These secrets are then exposed through deployment logs, creating a significant data leakage risk.
Impact
Successful exploitation of CVE-2026-34038 enables an attacker with low-privileged, authenticated access to the Coolify web interface to:
- Execute arbitrary commands on the Coolify server
- Exfiltrate environment variables containing sensitive credentials
- Potentially pivot to other systems using stolen secrets
- Maintain persistence by modifying deployment configurations
Pre-built Coolify versions 4.0.0-beta.468 and earlier are affected. Docker images and manual installations from source using those versions are vulnerable.
Remediation
Upgrade to Coolify version 4.0.0-beta.469 or later immediately. The fix sanitizes command inputs passed to deployment fields, preventing shell injection. No workarounds are available for earlier versions.
If immediate upgrade is not possible:
- Restrict application write permissions to trusted users only
- Audit deployment logs for signs of command injection
- Rotate any secrets stored in environment variables on affected systems
For official upgrade instructions, refer to the Coolify changelog at Coolify releases.
Security Insight
This vulnerability mirrors a pattern seen in other DevOps tooling (e.g., Jenkins and GitLab CI runners) where deployment configuration fields become injection vectors. Coolify’s pre-4.0.0-beta codebase lacked input sanitization in deployment handlers - a foundational security gap that suggests the project’s earlier release process did not include code review for injection attacks. The severity of CVE-2026-34038 underscores why self-hosted PaaS tools must treat all user-supplied deployment inputs as untrusted. Organizations using Coolify should prioritize cloud-native security scanning for their deployment pipeline.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| ThemeHackers/CVE-2026-34038 CVE-2026-34038: Authenticated Remote Command Injection in Coolify | ★ 1 |
Showing 1 of 1 known references. Source: nomi-sec/PoC-in-GitHub.
Related Advisories
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution...
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate th...
Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and int...
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `cur...