CVE-2026-34049

Source
https://cve.org/CVERecord?id=CVE-2026-34049
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34049.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34049
Aliases
  • GHSA-4mpw-wcj4-v9pp
Published
2026-07-06T21:22:46.878Z
Modified
2026-07-09T03:51:52.413754858Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Coolify: Command Injection via unsanitized MongoDB collection names in database backup
Details

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.451 through 4.0.0-beta.470, database backup handling for MongoDB collection names did not fully validate shell metacharacters, allowing a highly privileged attacker who can configure backup inputs to inject commands. This issue is fixed in version 4.0.0-beta.471.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34049.json"
}
References

Affected packages

Git / github.com/coollabsio/coolify

Affected ranges

Type
GIT
Repo
https://github.com/coollabsio/coolify
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "4.0.0-beta.451"
        },
        {
            "fixed": "4.0.0-beta.471"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v4.*
v4.0.0-beta.451
v4.0.0-beta.452
v4.0.0-beta.453
v4.0.0-beta.454
v4.0.0-beta.455
v4.0.0-beta.456
v4.0.0-beta.457
v4.0.0-beta.458
v4.0.0-beta.459
v4.0.0-beta.460
v4.0.0-beta.461
v4.0.0-beta.462
v4.0.0-beta.463
v4.0.0-beta.464
v4.0.0-beta.465
v4.0.0-beta.466
v4.0.0-beta.467
v4.0.0-beta.468
v4.0.0-beta.469
v4.0.0-beta.470

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34049.json"