Public February 2026
Coolify Command Wrapping Let Single Quotes Escape to the Host
BugBunny.ai reported that Coolify’s executeInDocker() helper embedded attacker-controlled deployment commands directly inside a bash -c string delimited by single quotes. A malicious single quote in a custom compose command could break out of the intended container command context and execute on the managed host.
TL;DR
Authorized deployment users can turn custom compose commands into command execution on the managed server host.
Single-quote injection in docker_compose_custom_build_command or docker_compose_custom_start_command.
Coolify releases before 4.0.0-beta.464.
CVE assigned during coordination; fixed in Coolify 4.0.0-beta.464.
Root Cause
executeInDocker() returned a shell string of the form bash -c '$command' without escaping single quotes inside the command payload. That made quote termination and command injection trivial anywhere user-controlled command text flowed into the helper.
The codebase already escaped other command fields for the exact same helper, which confirms the maintainers knew about the risk class. The bug existed because structurally identical call sites were left unprotected, allowing the attacker to escape the builder container context and run on the host.
Product
Coolify
Affected
<4.0.0
Patched
4.0.0-beta.464
Weaknesses
CWE-78: Improper Neutralization of Special Elements used in an OS Command
Mitigation
- Upgrade to Coolify 4.0.0-beta.464 or later.
- Escape or avoid shell interpolation inside executeInDocker() centrally instead of relying on scattered call-site fixes.
- Review all command-construction helpers for inconsistent escaping across deployment paths.
Credits & Disclosure
CVE-2026-27955 was assigned during coordinated disclosure based on GitHub Security Advisory GHSA-6h8g-wpxp-cq98.