{
  "variant_id": "CVE-2026-34594-variant-server-destinations-add",
  "created_at": "2026-07-05T06:20:35Z",
  "variant_summary": "Alternate-trigger variant of CVE-2026-34594: the same authenticated command-injection root cause (attacker-controlled Docker network name interpolated unsanitized into the SSH bash -se here-doc via StandaloneDocker::created -> instant_remote_process) is reachable through a different Livewire component, App\\Livewire\\Server\\Destinations::add($name), which takes the network name as a method ARGUMENT (not a #[Validate]-annotated property) and calls StandaloneDocker::create(['network'=>$name]) with no validation of its own. PR #9228 did not touch this component. Confirmed on vulnerable beta.470 (root command execution, marker uid=0(root)); blocked on fixed beta.471 by the setNetworkAttribute model mutator (InvalidArgumentException). Alternate trigger, not a bypass.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "coollabsio/coolify",
  "submitted_target": {
    "target_kind": "release_tag",
    "commit_sha": "575b0766d12bad2a78febff72ab59c017772bcf7",
    "version": "4.0.0-beta.470",
    "ref": "v4.0.0-beta.470",
    "display": "ghcr.io/coollabsio/coolify:4.0.0-beta.470 (tag commit 575b0766d)"
  },
  "variant_target": {
    "target_kind": "release_tag",
    "commit_sha": "914d7e0b50505bc1fd56c34974fca09ad354e92a",
    "version": "4.0.0-beta.471",
    "ref": "v4.0.0-beta.471",
    "display": "ghcr.io/coollabsio/coolify:4.0.0-beta.471 (tag commit 914d7e0b5, fix merge 9e96a20a4)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "Coolify authenticated POST /livewire/update driving the server.destinations Livewire component's add($name) method (network supplied as a method argument), route /server/{uuid}/destinations",
  "attacker_controlled_input": "Livewire method argument $name to server.destinations.add() = 'x;id > /tmp/coolify_variant_pwned_<tag> 2>&1 #' (shell metacharacters ; > #)",
  "trigger_path": "Authenticated POST /livewire/update -> hydrate server.destinations -> add($name) -> authorize('create', StandaloneDocker::class) (passes for any authenticated user) -> StandaloneDocker::create(['network'=>$name]) -> StandaloneDocker::created boot event -> instant_remote_process(['docker network inspect $name ...'],$server) -> SshMultiplexingHelper::generateSshCommand -> ssh root@server 'bash -se' << delim (unsanitized network executed by remote bash as root)",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": null,
  "blocking_mitigation": "Fixed beta.471: App\\Models\\StandaloneDocker::setNetworkAttribute() mutator throws InvalidArgumentException ('Invalid Docker network name...') at app/Models/StandaloneDocker.php:37 during StandaloneDocker::create(), invoked from app/Livewire/Server/Destinations.php:60 (add()). The created event never fires; no command executes; no DB row inserted. (Note: the fix did NOT add regex validation to server.destinations.add() itself; the mutator is the only thing blocking this entry point.)",
  "file_path": "app/Livewire/Server/Destinations.php",
  "line_start": 33,
  "line_end": 64,
  "secondary_anchors": [
    {
      "file_path": "app/Models/StandaloneDocker.php",
      "line_start": 21,
      "line_end": 28
    },
    {
      "file_path": "app/Support/ValidationPatterns.php",
      "line_start": 65,
      "line_end": 66
    }
  ],
  "review_scope_paths": [
    "app/Livewire/Server/Destinations.php",
    "app/Livewire/Destination/New/Docker.php",
    "app/Livewire/Destination/Show.php",
    "app/Models/StandaloneDocker.php",
    "app/Models/SwarmDocker.php",
    "app/Support/ValidationPatterns.php"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh",
      "bundle/vuln_variant/stack/exploit_variant.py"
    ]
  }
}
