[05:53:39] === CVE-2026-34594 reproduction start === [05:53:39] starting stack with ghcr.io/coollabsio/coolify:4.0.0-beta.470 [05:53:55] coolify healthy (attempt 2) [05:55:26] === CVE-2026-34594 reproduction start === [05:55:28] starting stack with ghcr.io/coollabsio/coolify:4.0.0-beta.470 [05:55:41] coolify healthy (attempt 2) [05:55:44] auto-seed complete (localhost server present, attempt 2) [05:55:44] bootstrap retry 1 [05:55:50] bootstrap retry 2 [05:55:55] bootstrap retry 3 [05:56:01] bootstrap retry 4 [05:56:06] bootstrap retry 5 [05:56:11] FATAL: bootstrap failed [05:57:47] === CVE-2026-34594 reproduction start === [05:57:49] starting stack with ghcr.io/coollabsio/coolify:4.0.0-beta.470 [05:58:05] coolify healthy (attempt 2) [05:58:08] auto-seed complete (localhost server present, attempt 2) [05:58:09] bootstrap ok SERVER_UUID=noocw2nk7sgl8n882l1bbdoi [05:58:09] installing python3+requests in coolify-testing-host PY_OK [05:58:12] python3+requests ready [05:58:12] exploit attempt vuln-1 (marker=/tmp/coolify_net_pwned_vuln_1) login_status=200 final_url=http://coolify:8080 dest_page_status=200 snapshot_found serverId=1 default_network=zvvrv7e596mxnp42d8fv1ufv livewire_update_status=200 effects redirect=http://coolify:8080/destination/w14b186ewclwa2khlznaoqsq html_len=0 DESTINATION_CREATED redirect=http://coolify:8080/destination/w14b186ewclwa2khlznaoqsq EXPLOIT_DONE [05:58:13] VULN attempt 1: MARKER PRESENT -> uid=0(root) gid=0(root) groups=0(root) [05:58:13] exploit attempt vuln-2 (marker=/tmp/coolify_net_pwned_vuln_2) login_status=200 final_url=http://coolify:8080 dest_page_status=200 snapshot_found serverId=1 default_network=yjd8zlk0xcr6gfod8rpc6oox livewire_update_status=200 effects redirect=http://coolify:8080/destination/l139l6riqdim0fjqx2w25i0z html_len=0 DESTINATION_CREATED redirect=http://coolify:8080/destination/l139l6riqdim0fjqx2w25i0z EXPLOIT_DONE [05:58:14] VULN attempt 2: MARKER PRESENT -> uid=0(root) gid=0(root) groups=0(root) [05:58:14] vulnerable summary: 2/2 attempts produced command execution [05:58:16] starting stack with ghcr.io/coollabsio/coolify:4.0.0-beta.471 [05:58:32] coolify healthy (attempt 2) [05:58:35] auto-seed complete (localhost server present, attempt 2) [05:58:36] bootstrap ok SERVER_UUID=i12rb20zyc95wt915kkad861 [05:58:36] installing python3+requests in coolify-testing-host PY_OK [05:58:39] python3+requests ready [05:58:39] exploit attempt fixed-1 (marker=/tmp/coolify_net_pwned_fixed_1) login_status=200 final_url=http://coolify:8080 dest_page_status=200 snapshot_found serverId=1 default_network=xix8ghmtv431k31r23xi3zge livewire_update_status=200 effects redirect=None html_len=3837 VALIDATION_BLOCKED snippet=Destinations are used to segregate resources by network. Name * Network * The network field format is invalid. Select a server * Select a server localhost Continue EXPLOIT_DONE [05:58:40] FIXED attempt 1: no marker (injection blocked) as expected [05:58:40] exploit attempt fixed-2 (marker=/tmp/coolify_net_pwned_fixed_2) login_status=200 final_url=http://coolify:8080 dest_page_status=200 snapshot_found serverId=1 default_network=rbiq6lq06wnqrg23smt1tw2v livewire_update_status=200 effects redirect=None html_len=3837 VALIDATION_BLOCKED snippet=Destinations are used to segregate resources by network. Name * Network * The network field format is invalid. Select a server * Select a server localhost Continue EXPLOIT_DONE [05:58:40] FIXED attempt 2: no marker (injection blocked) as expected [05:58:40] fixed summary: 2/2 attempts blocked the injection [05:58:40] VERDICT: CONFIRMED - vulnerable build executes attacker commands as root; fixed build rejects the input. [05:58:41] === reproduction end (confirmed=1) === [06:00:50] === CVE-2026-34594 reproduction start === [06:00:52] starting stack with ghcr.io/coollabsio/coolify:4.0.0-beta.470 [06:01:08] coolify healthy (attempt 2) [06:01:11] auto-seed complete (localhost server present, attempt 2) [06:01:11] bootstrap ok SERVER_UUID=l1x2s0ywcey6jfigy7oqzoog [06:01:11] installing python3+requests in coolify-testing-host PY_OK [06:01:14] python3+requests ready [06:01:14] exploit attempt vuln-1 (marker=/tmp/coolify_net_pwned_vuln_1) login_status=200 final_url=http://coolify:8080 dest_page_status=200 snapshot_found serverId=1 default_network=xay7k8s3825i04edlccsu4c9 livewire_update_status=200 effects redirect=http://coolify:8080/destination/o6b37zcnawz4a454hlzpzq9u html_len=0 DESTINATION_CREATED redirect=http://coolify:8080/destination/o6b37zcnawz4a454hlzpzq9u EXPLOIT_DONE [06:01:16] VULN attempt 1: MARKER PRESENT -> uid=0(root) gid=0(root) groups=0(root) [06:01:16] exploit attempt vuln-2 (marker=/tmp/coolify_net_pwned_vuln_2) login_status=200 final_url=http://coolify:8080 dest_page_status=200 snapshot_found serverId=1 default_network=frwgv9101qq0wrq6wvd32emc livewire_update_status=200 effects redirect=http://coolify:8080/destination/wzynfa8xghvn8b2i913qybuc html_len=0 DESTINATION_CREATED redirect=http://coolify:8080/destination/wzynfa8xghvn8b2i913qybuc EXPLOIT_DONE [06:01:17] VULN attempt 2: MARKER PRESENT -> uid=0(root) gid=0(root) groups=0(root) [06:01:17] vulnerable summary: 2/2 attempts produced command execution [06:01:18] starting stack with ghcr.io/coollabsio/coolify:4.0.0-beta.471 [06:01:34] coolify healthy (attempt 2) [06:01:37] auto-seed complete (localhost server present, attempt 2) [06:01:37] bootstrap ok SERVER_UUID=zl1fksgvn53dp1weo6vaijkt [06:01:37] installing python3+requests in coolify-testing-host PY_OK [06:01:41] python3+requests ready [06:01:41] exploit attempt fixed-1 (marker=/tmp/coolify_net_pwned_fixed_1) login_status=200 final_url=http://coolify:8080 dest_page_status=200 snapshot_found serverId=1 default_network=e10z28yfwvele00aedhg45nm livewire_update_status=200 effects redirect=None html_len=3837 VALIDATION_BLOCKED snippet=Destinations are used to segregate resources by network. Name * Network * The network field format is invalid. Select a server * Select a server localhost Continue EXPLOIT_DONE [06:01:41] FIXED attempt 1: no marker (injection blocked) as expected [06:01:42] exploit attempt fixed-2 (marker=/tmp/coolify_net_pwned_fixed_2) login_status=200 final_url=http://coolify:8080 dest_page_status=200 snapshot_found serverId=1 default_network=r479xmw0nsgkyw4z5qktupbo livewire_update_status=200 effects redirect=None html_len=3837 VALIDATION_BLOCKED snippet=Destinations are used to segregate resources by network. Name * Network * The network field format is invalid. Select a server * Select a server localhost Continue EXPLOIT_DONE [06:01:42] FIXED attempt 2: no marker (injection blocked) as expected [06:01:42] fixed summary: 2/2 attempts blocked the injection [06:01:42] VERDICT: CONFIRMED - vulnerable build executes attacker commands as root; fixed build rejects the input. [06:01:42] === reproduction end (confirmed=1) ===