Share
## https://sploitus.com/exploit?id=5400CFD0-7DF0-52B1-90A9-5CF94B75E701
# CVE-2026-34038: Authenticated Remote Command Injection in Coolify

This repository contains documentation and analysis for **CVE-2026-34038**, a critical command injection vulnerability in Coolify.

## Summary

An authenticated remote command injection vulnerability (CWE-78) in Coolify allows users with application **"write"** permissions to achieve **Remote Code Execution (RCE)** and **Exfiltrate** sensitive environment variables (e.g., database credentials, API keys) via deployment logs, even if the build environment isolates the Docker socket.

* **Vulnerability Type:** CWE-78 (OS Command Injection)
* **Severity:** Critical (CVSS 10.0)
* **Vector:** `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`

---

## Prerequisites & Limitations

* **Minimum Required Permissions:** `write` (to update configuration) and `read:sensitive` (to read exfiltrated data via logs).
* **Bypass:** A mechanism exists allowing tokens without explicit `deploy` permissions to trigger builds.
* **Attack Surface:** The overall attack surface is larger than initially estimated since administrative/root privileges are not required.

---

## Technical Details

### 1. `dockerfile_location` Injection

**File:** `app/Jobs/ApplicationDeploymentJob.php`

Input lacks proper shell escaping or input validation, permitting direct command injection using metacharacters like `;`, `&&`, and pipes.

```php
// Lines 2976-2978: Traditional build with args
$build_command = $this->wrap_build_command_with_env_export(
    "docker build {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} --progress plain -t $this->build_image_name {$this->workdir}"
);

// Lines 526: Also used in simple dockerfile deployment
executeInDocker($this->deployment_uuid, "echo '$dockerfile_base64' | base64 -d | tee {$this->workdir}{$this->dockerfile_location} > /dev/null"),
```

### 2. `pre_deployment_command` Execution

**File:** `app/Jobs/ApplicationDeploymentJob.php` (Lines 3882-3909)

While basic escaping is performed, the function naturally runs native shell commands, making it possible to dump data straight into build logs.

```php
private function run_pre_deployment_command()
{
    if (empty($this->application->pre_deployment_command)) {
        return;
    }
    // ...
    $cmd = "sh -c '".str_replace("'", "'\\''", $this->application->pre_deployment_command)."'";
    $exec = "docker exec {$containerName} {$cmd}";
    $this->execute_remote_command(
        [
            'command' => $exec,
            'hidden' => true,
        ],
    );
}
```

---

## Remediation

### 1. Sanitize `dockerfile_location` Input (in `ApplicationDeploymentJob.php`):

Validate the input using strict regular expressions and escape the shell argument:

```php
if ($this->application->dockerfile_location) {
    if (!preg_match('/^[a-zA-Z0-9._\-\/]+$/', $this->application->dockerfile_location)) {
        throw new \RuntimeException("Invalid dockerfile_location: contains forbidden characters");
    }
    if (str_contains($this->application->dockerfile_location, '..')) {
        throw new \RuntimeException("Invalid dockerfile_location: path traversal detected");
    }
    $this->dockerfile_location = escapeshellarg($this->application->dockerfile_location);
}
```

### 2. API-Level Validation (`bootstrap/helpers/api.php`):

```php
'dockerfile_location' => [
    'string',
    'nullable',
    'regex:/^[a-zA-Z0-9._\-\/]+$/',
    'max:255'
],
```

### 3. Other Guidelines:
* Enforce strict allowlists blocking shell metacharacters.
* Fix the deployment permission bypass logic.
* Audit equivalent fields such as `docker_compose_location`.

---

## References & Credits

* **Reporter / Credits:** [ThemeHackers](https://github.com/ThemeHackers)
* **Official Advisory:** [GitHub Security Advisory (GHSA-qqrq-r9h4-x6wp)](https://github.com/coollabsio/coolify/security/advisories/GHSA-qqrq-r9h4-x6wp)