Skip to content
Verified reproduction

CVE-2026-34594: Coolify authenticated command injection in Destination Network Management

CVE-2026-34594 is verified against the affected target vulnerability class: Command Injection This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00245.

REPRO-2026-00245 Command Injection Variant found Jul 6, 2026 .txt
Severity HIGH
Confidence HIGH
Reproduced in 50m 51s
Tool calls 313
Spend $7.51
$ pruva-verify REPRO-2026-00245
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00245/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

Authenticated command injection in Coolify Destination Network Management (CVE-2026-34594, GHSA-mf8p-rj62-9f9m). The 'network' parameter from user input is interpolated directly into shell commands (docker network disconnect / docker network rm) without escapeshellarg(), allowing a user with destination management permissions to execute arbitrary commands as root on the Coolify host.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/artifact_promotion_manifest.json13.6 KB
bundle/vuln_variant/source_identity.json1.7 KB
bundle/vuln_variant/root_cause_equivalence.json2.3 KB
bundle/repro/reproduction_steps.sh20.7 KB
bundle/repro/rca_report.md10.6 KB
bundle/repro/validation_verdict.json1.0 KB
bundle/repro/runtime_manifest.json1.2 KB
bundle/logs/vulnerable_marker_1.txt0.1 KB
bundle/logs/vulnerable_attempt_1.log0.3 KB
bundle/logs/fixed_attempt_1.log0.4 KB
bundle/logs/reproduction_steps.log6.7 KB
bundle/logs/stack_vulnerable.log1.0 KB
bundle/logs/setup_vulnerable.log2.3 KB
bundle/logs/vulnerable_attempt_2.log0.3 KB
bundle/logs/vulnerable_marker_2.txt0.1 KB
bundle/logs/stack_fixed.log1.0 KB
bundle/logs/setup_fixed.log0.4 KB
bundle/logs/fixed_attempt_2.log0.4 KB
bundle/vuln_variant/reproduction_steps.sh23.3 KB
bundle/vuln_variant/rca_report.md15.3 KB
bundle/vuln_variant/variant_manifest.json4.5 KB
bundle/vuln_variant/validation_verdict.json3.3 KB
bundle/vuln_variant/patch_analysis.md10.3 KB
bundle/vuln_variant/runtime_manifest.json1.6 KB
bundle/logs/vuln_variant/debug_fixed_evidence.txt0.7 KB
bundle/logs/vuln_variant/vulnerable_marker_1.txt0.1 KB
bundle/logs/vuln_variant/reproduction_steps.log4.2 KB
bundle/logs/vuln_variant/stack_vulnerable.log1.0 KB
bundle/logs/vuln_variant/setup_vulnerable.log0.6 KB
bundle/logs/vuln_variant/vulnerable_attempt_1.log0.7 KB
bundle/logs/vuln_variant/vulnerable_attempt_2.log0.7 KB
bundle/logs/vuln_variant/vulnerable_marker_2.txt0.1 KB
bundle/logs/vuln_variant/stack_fixed.log1.0 KB
bundle/logs/vuln_variant/setup_fixed.log0.4 KB
bundle/logs/vuln_variant/fixed_attempt_1.log0.5 KB
bundle/logs/vuln_variant/fixed_attempt_2.log0.5 KB