[06:19:43] === CVE-2026-34594 VARIANT reproduction start === [06:19:43] variant entry point: server.destinations Livewire component -> add($name) (method argument) [06:19:44] starting stack with ghcr.io/coollabsio/coolify:4.0.0-beta.470 [06:20:00] coolify healthy (attempt 2) [06:20:03] auto-seed/server present (attempt 2) [06:20:04] bootstrap ok SERVER_UUID=km0rvg0s87gblqtva4fyke0h [06:20:04] installing python3+requests in coolify-testing-host PY_OK [06:20:07] python3+requests ready [06:20:07] variant exploit attempt vuln-1 (marker=/tmp/coolify_variant_pwned_vuln_1) login_status=200 final_url=http://coolify:8080 dest_page_status=200 snapshot_found name=server.destinations livewire_update_status=200 effects redirect=None html_len=8474 comp_status=None RESPONSE_SNIPPET=General Advanced Sentinel Private Key CA Certificate Cloudflare Tunnel Docker Cleanup Destinations Log Drains Metrics Swarm (experimental) Danger Destinations { if (!value) { $wire.dispatch('modalClosed') } })" :class="{ 'z-40': modalOpen }" @keydown.window.escape="modalOpen=false" class="relative w-auto h-auto" wire:ignore> + Add { if(value) { $nextTick(() => { const firstInput = $el.querySelector('input, textarea, select'); firstInput?.focus(); }) } })" class="fixed top-0 left-0 z-99 flex item EXPLOIT_DONE [06:20:09] VULN variant attempt 1: MARKER PRESENT -> uid=0(root) gid=0(root) groups=0(root) [06:20:09] variant exploit attempt vuln-2 (marker=/tmp/coolify_variant_pwned_vuln_2) login_status=200 final_url=http://coolify:8080 dest_page_status=200 snapshot_found name=server.destinations livewire_update_status=200 effects redirect=None html_len=8918 comp_status=None RESPONSE_SNIPPET=General Advanced Sentinel Private Key CA Certificate Cloudflare Tunnel Docker Cleanup Destinations Log Drains Metrics Swarm (experimental) Danger Destinations { if (!value) { $wire.dispatch('modalClosed') } })" :class="{ 'z-40': modalOpen }" @keydown.window.escape="modalOpen=false" class="relative w-auto h-auto" wire:ignore> + Add { if(value) { $nextTick(() => { const firstInput = $el.querySelector('input, textarea, select'); firstInput?.focus(); }) } })" class="fixed top-0 left-0 z-99 flex item EXPLOIT_DONE [06:20:10] VULN variant attempt 2: MARKER PRESENT -> uid=0(root) gid=0(root) groups=0(root) [06:20:10] vulnerable variant summary: 2/2 attempts produced command execution [06:20:11] starting stack with ghcr.io/coollabsio/coolify:4.0.0-beta.471 [06:20:27] coolify healthy (attempt 2) [06:20:30] auto-seed/server present (attempt 2) [06:20:31] bootstrap ok SERVER_UUID=m11wmbmptw0119y48u4hpxwu [06:20:31] installing python3+requests in coolify-testing-host PY_OK [06:20:33] python3+requests ready [06:20:34] variant exploit attempt fixed-1 (marker=/tmp/coolify_variant_pwned_fixed_1) login_status=200 final_url=http://coolify:8080 dest_page_status=200 snapshot_found name=server.destinations livewire_update_status=500 non_json_resp:

500

Wait, this is not cool...

< EXPLOIT_DONE [06:20:34] FIXED variant attempt 1: no marker (variant blocked by model mutator) as expected [06:20:34] variant exploit attempt fixed-2 (marker=/tmp/coolify_variant_pwned_fixed_2) login_status=200 final_url=http://coolify:8080 dest_page_status=200 snapshot_found name=server.destinations livewire_update_status=500 non_json_resp:

500

Wait, this is not cool...

< EXPLOIT_DONE [06:20:35] FIXED variant attempt 2: no marker (variant blocked by model mutator) as expected [06:20:35] fixed variant summary: 0/2 attempts produced command execution (expect 0) [06:20:35] VERDICT: ALTERNATE_TRIGGER_CONFIRMED - variant reproduces on vulnerable (beta.470) and is BLOCKED on fixed (beta.471) by the setNetworkAttribute model mutator. Not a bypass. [06:20:35] === variant reproduction end (alternate_trigger_confirmed=1 bypass=0) ===