๐Ÿ” CVE Alert

CVE-2026-34599

HIGH 8.8

Coolify: Authenticated Remote Code Execution in GetLogs Livewire Component

CVSS Score
8.8
EPSS Score
1.4%
EPSS Percentile
69th

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, there is an authenticated command injection vulnerability in the GetLogs Livewire component which allows users with team membership (lowest privilege member role) to execute arbitrary commands as root on managed servers. The $container Livewire public property is interpolated directly into shell commands (docker logs, docker service logs) without sanitization, and can be modified by any client via the Livewire wire protocol because it lacks the #[Locked] attribute. This issue is fixed in version 4.0.0-beta.471.

CWE CWE-78
Vendor coollabsio
Product coolify
Published Jul 6, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for coollabsio coolify

Be the first to know when new high vulnerabilities affecting coollabsio coolify are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

coollabsio / coolify
< 4.0.0-beta.471

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/coollabsio/coolify/security/advisories/GHSA-q9j6-xcvx-px63 github.com: https://github.com/coollabsio/coolify/pull/9229 github.com: https://github.com/coollabsio/coolify/commit/f267a28cb2badc7e712c4592af4d79d090fe5063 github.com: https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471