A vulnerability, which was classified as very critical, has been found in coollabsio Coolify up to 4.0.0-beta.473. Impacted is an unknown function of the component API Layer. The manipulation of the argument redis_password/keydb_password/dragonfly_password/clickhouse_admin_user/clickhouse_admin_password/postgres_user/mysql_user leads to os command injection.

This vulnerability is documented as CVE-2026-42201. The attack can be initiated remotely. There is not any exploit available.