CVE-2026-34047
Received Received - Intake

Terminal Command Execution in Coolify Prior to 4.0.0-beta.471

Vulnerability report for CVE-2026-34047, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes did not enforce the expected authorization middleware, allowing an authenticated user to access terminal functionality for resources outside the authorized scope and potentially execute commands. This issue is fixed in version 4.0.0-beta.471.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.470 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-34047 is a critical authorization vulnerability in Coolify, an open-source server management tool. Before version 4.0.0-beta.471, certain terminal WebSocket bootstrap routes did not enforce proper authorization middleware. This allowed authenticated users with low privileges (such as team members) to access terminal functionality beyond their authorized scope.

Specifically, the backend terminal endpoints only checked if a user was authenticated but did not verify if they had the required permissions (like admin or owner roles). As a result, low-privileged users could bypass frontend restrictions and execute arbitrary commands on managed hosts with root privileges.

The vulnerability was fixed by applying the existing 'can.access.terminal' authorization middleware to the affected routes, ensuring consistent role-based access control.

Impact Analysis

This vulnerability can have severe impacts because it allows low-privileged authenticated users to execute arbitrary commands on managed servers with root privileges.

  • Full host compromise by unauthorized users.
  • Potential unauthorized access to sensitive data and system resources.
  • Complete loss of confidentiality, integrity, and availability of the affected systems.
  • Attackers can retrieve sensitive information such as SSH private keys and use them to further escalate access.
Detection Guidance

This vulnerability involves unauthorized access to terminal WebSocket bootstrap routes that lack proper authorization middleware. Detection involves monitoring access to the affected endpoints and verifying authorization enforcement.

Specifically, the vulnerable routes are POST /terminal/auth and POST /terminal/auth/ips. You can detect exploitation attempts by checking for unusual or unauthorized POST requests to these endpoints.

Suggested commands to detect potential exploitation attempts include inspecting web server logs or using network monitoring tools to filter for POST requests to these paths.

  • Use grep or similar tools on server logs to find POST requests to /terminal/auth and /terminal/auth/ips, e.g., `grep 'POST /terminal/auth' /var/log/nginx/access.log`
  • Monitor WebSocket connections targeting terminal endpoints for unauthorized access patterns.
  • Check for API token generation and SSH private key retrieval activities by low-privileged users, which are part of the exploit chain.

Since the backend did not enforce role-based authorization before version 4.0.0-beta.471, any authenticated user with a Member role accessing these endpoints could indicate exploitation.

Mitigation Strategies

The primary mitigation is to upgrade Coolify to version 4.0.0-beta.471 or later, where the authorization middleware enforcing role-based access control on terminal bootstrap routes has been applied.

If immediate upgrade is not possible, restrict access to the affected endpoints (POST /terminal/auth and POST /terminal/auth/ips) to only trusted administrators or owners by network-level controls such as firewall rules.

Review and limit API token generation permissions to prevent low-privileged users from obtaining tokens that could be used to exploit the vulnerability.

Audit team roles and permissions to ensure that only authorized users have access to terminal functionality.

Monitor logs for suspicious activity related to terminal access and API token usage.

Compliance Impact

CVE-2026-34047 allows low-privileged authenticated users to bypass authorization controls and execute arbitrary commands on managed hosts as root, leading to full host compromise. This critical authorization flaw impacts confidentiality, integrity, and availability of data and systems.

Such a vulnerability can severely affect compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. Unauthorized command execution and potential data exposure violate principles of least privilege and data security mandated by these regulations.

Organizations using vulnerable versions of Coolify may face risks of unauthorized data access, data breaches, and system integrity violations, potentially resulting in non-compliance penalties and legal consequences.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34047. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart