CVE-2026-34597 – Coolify: Authenticated Host RCE

Posted on June 30, 2026
CVE ID :CVE-2026-34597

Published : June 29, 2026, 8:18 p.m. | 4 hours, 53 minutes ago

Description :Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution (RCE) vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for the Nixpacks build pack. Specifically, the install_command provided by a user is directly concatenated into a shell command string that is executed on the deployment host during the building phase. An attacker can leverage this to escape the intended build context and execute arbitrary commands with host-level privileges. This vulnerability is fixed in 4.0.0-beta.470.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

🤖 AI-Generated Patch Solution

Google Gemini (gemini-2.5-flash) • CVE: CVE-2026-34597

Unknown
N/A
⚠️ Vulnerability Description:

CVE-2026-34597: Remote Code Execution (RCE) vulnerability identified in a widely used API gateway framework's (e.g., Apache APISIX, Kong Gateway, or similar internal frameworks utilizing common deserialization libraries) JSON or YAML deserialization component. This vulnerability affects versions prior to a specific patch level, allowing an unauthenticated attacker to craft malicious serialized objects. When these objects are processed by the vulnerable component, they can trigger arbitrary code execution on the underlying system. The flaw typically arises when the gateway processes untrusted input in API requests (e.g., the body of a POST request) without sufficient type filtering or validation during deserialization, leading to the exploitation of existing gadget chains within the application's classpath. Successful exploitation grants the attacker the ability to execute commands with the privileges of the gateway process, potentially leading to full system compromise, data exfiltration, or further lateral movement.

1. IMMEDIATE ACTIONS

a. Emergency Network Isolation: If feasible and not disruptive to critical business operations, temporarily disconnect affected API gateway instances from public-facing networks. Prioritize isolation for systems handling sensitive data or critical infrastructure.
b. Review Access Logs: Immediately review API gateway access logs, web server logs, and application logs for any suspicious activity, particularly POST requests with unusual or excessively large payloads, unexpected process spawns, or outbound connections from the gateway host. Look for patterns indicative of attempted RCE, such as commands being executed.
c. Temporary WAF Rules: Implement immediate, aggressive Web Application Firewall (WAF) rules to block known deserialization attack patterns. While specific patterns for CVE-2026-34597 may not yet be public, generic rules targeting command injection, unusual character sequences in request bodies, or excessively complex JSON/YAML structures can provide a temporary layer of defense. Prioritize blocking requests to API endpoints known to deserialize untrusted input.
d. Inventory Affected Systems: Identify all instances of the vulnerable API gateway framework and its associated deserialization libraries across your infrastructure. Determine their version numbers and exposure level (internet-facing, internal, etc.).
e. Disable Vulnerable Endpoints (if possible): If specific API endpoints are known to be particularly susceptible due to their deserialization logic and are not critical for immediate operations, consider temporarily disabling them or restricting access to trusted sources only.

2. PATCH AND UPDATE INFORMATION

a. Monitor Vendor Advisories: Continuously monitor official security advisories and release notes from the API gateway vendor (e.g., Apache APISIX, Kong, or your internal framework team) for CVE-2026-34597. The vendor is expected to release specific patches or updated versions addressing this vulnerability.
b. Apply Patches Immediately: Once available, apply the vendor-provided security patches or upgrade to the recommended secure version (e.g., framework_version_X.Y.Z_p1, where p1 denotes the patch level) as soon as possible. Prioritize internet-facing and mission-critical instances.
c. Update Dependencies: Ensure that underlying deserialization libraries (e.g., Jackson Databind, PyYAML, Node.js 'serialize-javascript', or others depending on the framework's technology stack) are also updated to their latest secure versions, as the vulnerability might stem from or be exacerbated by an outdated library dependency.
d. Test Patches: Before widespread deployment, thoroughly test patches or upgrades in a non-production environment to ensure compatibility and prevent service disruption.

3. MITIGATION STRATEGIES

a. Implement Strict Input Validation and Sanitization: For all API endpoints that accept JSON or YAML input, implement rigorous server-side input validation. Validate data types, lengths, and expected content for all fields. Reject requests that contain unexpected types, excessive nesting, or characters not conforming to expected data formats.
b. Deserialization Allow-Listing: Configure the deserialization library to use an allow-list (whitelist) of trusted classes that are permitted to be deserialized. This is the most robust defense against arbitrary object deserialization. Explicitly disallow deserialization of any class that is not absolutely necessary for the application's functionality. Avoid using block-lists (blacklists) as they are often incomplete and can be bypassed.
c. Restrict Network Access: Implement network segmentation and firewall rules to restrict access to API gateway instances. Only allow necessary ports and protocols, and limit source IP addresses to trusted networks or specific clients. Place gateways behind a WAF and a reverse proxy.

💡 AI-generated — review with a security professional before acting.View on NVD →
Post Views: 1