Cyber Resilience

CVE-2026-34597

HighRCE

Published: 29 June 2026

Published
29 June 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0053 40.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34597 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution (RCE) vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for…

more

the Nixpacks build pack. Specifically, the install_command provided by a user is directly concatenated into a shell command string that is executed on the deployment host during the building phase. An attacker can leverage this to escape the intended build context and execute arbitrary commands with host-level privileges. This vulnerability is fixed in 4.0.0-beta.470.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CWE-78 command injection in Coolify (public management app) directly enables exploitation via T1190 and results in arbitrary Unix shell execution (T1059.004) on the host.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30861Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2026-27728Shared CWE-78
CVE-2025-8613Shared CWE-78
CVE-2026-27626Shared CWE-78
CVE-2025-2257Shared CWE-78
CVE-2026-33208Shared CWE-78
CVE-2026-32892Shared CWE-78
CVE-2026-2043Shared CWE-78
CVE-2013-10048Shared CWE-78

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References