coollabsio coolify Image Name os command injection
Description
A vulnerability has been found in coollabsio coolify 4.0.0. Impacted is an unknown function of the component Image Name Handler. Such manipulation leads to os command injection. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way. The changelog for 4.1.2 mentions "[i]mproved image, branch, proxy, and deployment input validation".
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2>=4.0.0,<4.1.2+ 1 more
- (no CPE)range: >=4.0.0,<4.1.2
- (no CPE)range: =4.0.0
Patches
Vulnerability mechanics
Root cause
"Missing input validation on Docker image reference fields allows shell metacharacters to break out of the intended `docker pull` command."
Attack vector
An attacker with the ability to control deployment image references (e.g., a low-privileged user who can configure a service's Docker image field) can inject shell metacharacters such as `;` into the image name. Because Coolify builds the `docker pull` command by concatenating the unsanitized image reference into a shell string, a payload like `alpine; printf ...` breaks out of the intended command and executes arbitrary OS commands on the deployment worker [ref_id=1]. The attack is remote and requires no special network access beyond the Coolify web interface.
Affected code
The vulnerability resides in Coolify's deployment image parsing logic, specifically how Docker image reference fields are normalized and embedded into shell command strings for `docker pull`. The sink is in the component that constructs the shell command from user-supplied image names [ref_id=1].
What the fix does
The advisory does not include a published patch, but the vendor's changelog for version 4.1.2 states "[i]mproved image, branch, proxy, and deployment input validation," which likely addresses this injection vector. The recommended remediation is to never construct Docker commands through shell strings; instead, use argument-array process execution, validate image references against OCI grammar, and reject shell metacharacters and whitespace/control characters [ref_id=1].
Preconditions
- authAttacker must be able to control a Docker image reference field in a Coolify deployment configuration (e.g., as a user with permission to create or update services).
- configThe Coolify deployment worker must execute the constructed shell command (the default behavior).
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- vuldb.com/cve/CVE-2026-12815mitrethird-party-advisory
- vuldb.com/submit/837577mitrethird-party-advisory
- github.com/dxz0069/softwareoverflow/blob/main/coolify_docker_image_reference_shell_injection_vulndb.mdmitrerelated
- vuldb.com/vuln/372609mitrevdb-entry
- vuldb.com/vuln/372609/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.