→ Back to Home
Docker

Critical Docker Compose Vulnerability in Coolify Exposes Hosts to Remote Code Execution

A high-severity vulnerability, identified as CVE-2026-42204, has been discovered in Coolify, an open-source platform designed for managing servers, applications, and databases. The vulnerability, which affects Coolify versions 4.0.0-beta.471 through 4.0.0-beta.473, stems from a regression in the `SHELL_SAFE_COMMAND_PATTERN`. This regression inadvertently permitted the use of ampersands within custom Docker Compose build, start, and pre/post-deployment command fields. This oversight creates a critical security loophole, enabling an authenticated team member to inject and execute arbitrary shell commands directly on the underlying host system. The issue has since been addressed and fixed in Coolify version 4.0.0-beta.474. This vulnerability is particularly significant for several reasons. Firstly, its CVSS v3 base score of 8.8 (High) underscores the severe potential impact, allowing for complete compromise of confidentiality, integrity, and availability of the affected host. For organizations utilizing Coolify, this translates to a direct path for an insider threat or a compromised account to gain full control over their infrastructure. Beyond Coolify, this incident serves as a critical warning for any development and operations team relying on Docker Compose in automated pipelines. The ability to inject commands into deployment scripts highlights a fundamental risk in how external inputs are handled, potentially leading to supply chain attacks where malicious code could be introduced and executed during the build or deployment phases. This incident fits into a broader, well-established trend of increasing focus on software supply chain security. As cloud-native architectures become more complex and development workflows increasingly automated, the attack surface expands. Vulnerabilities in tools that bridge development and production, like Coolify and Docker Compose, become prime targets. The industry has seen a rise in attacks exploiting weaknesses in build systems, registries, and deployment tools. This CVE reinforces the necessity for robust input validation and secure coding practices, even in seemingly minor pattern matching or sanitization routines. It also highlights the inherent risks when powerful orchestration tools are exposed to insufficiently validated user-provided configurations. In practice, all users of Coolify versions 4.0.0-beta.471 through 4.0.0-beta.473 must prioritize upgrading to version 4.0.0-beta.474 or later immediately to mitigate this critical risk. For the wider technical audience, this vulnerability serves as a potent case study. Practitioners should conduct thorough security reviews of any custom tooling or CI/CD scripts that construct and execute Docker Compose commands, paying close attention to how user-supplied or dynamically generated values are handled. Implementing strict input sanitization, leveraging least privilege principles for deployment accounts, and ensuring robust container isolation remain paramount. Furthermore, adopting security scanning tools that can detect command injection patterns in configuration files and scripts should be a standard practice to prevent similar vulnerabilities from emerging in other parts of the software delivery pipeline.
#docker compose#security#vulnerability#rce#coolify#supply chain
Read original source