Cyber Resilience

CVE-2026-34594

HighRCE

Published: 29 June 2026

Published
29 June 2026
Modified
01 July 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0109 61.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34594 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, an authenticated command injection vulnerability in the Destination Network Management functionality allows users with destination management permissions to execute arbitrary commands as root on…

more

managed servers. The "network" parameter is passed directly to shell commands without proper sanitization, enabling full remote code execution on the host system. This vulnerability is fixed in 4.0.0-beta.471.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Authenticated command injection (CWE-78) in Coolify directly enables RCE via unsanitized shell input, mapping to exploitation of a public-facing management app (T1190) and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-56095Shared CWE-78
CVE-2024-57011Shared CWE-78
CVE-2025-37170Shared CWE-78
CVE-2025-20055Shared CWE-78
CVE-2026-0796Shared CWE-78
CVE-2020-36867Shared CWE-78
CVE-2025-70039Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2013-10048Shared CWE-78
CVE-2025-64128Shared CWE-78

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References