CVE-2026-34048
Received Received - Intake

Terminal Command Execution in Coolify Prior to 4.0.0-beta.471

Vulnerability report for CVE-2026-34048, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes and execute commands on team servers. This issue is fixed in version 4.0.0-beta.471.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.471 (exc)
coollabsio coolify to 4.0.0-beta.470 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-34048 is a critical security vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. Before version 4.0.0-beta.471, the terminal websocket bootstrap routes only checked if a user was authenticated but did not enforce proper authorization. This allowed low-privileged team members to connect to terminal routes and execute commands on team servers, bypassing intended restrictions.

Specifically, the websocket endpoints (/terminal/auth and /terminal/auth/ips) lacked the authorization middleware that enforces the 'can.access.terminal' permission, which is required to access terminal functionality. This mismatch between the UI and backend authorization allowed unauthorized command execution.

Impact Analysis

This vulnerability can have severe impacts including unauthorized command execution on managed servers by low-privileged users. An attacker can escalate privileges, potentially gaining root access, access containers, disclose secrets, and perform malicious actions such as redeployments or service disruptions.

The exploit requires no user interaction, is network-reachable, and has low attack complexity, making it highly dangerous. It affects confidentiality, integrity, and availability of the systems managed by Coolify.

Detection Guidance

This vulnerability involves unauthorized access to terminal websocket bootstrap routes in Coolify. Detection can focus on monitoring access to the endpoints POST /terminal/auth and POST /terminal/auth/ips for unusual or unauthorized usage.

You can check your system logs or network traffic for requests to these endpoints from low-privileged users or unexpected sources.

Since the vulnerability allows execution of commands via websocket sessions, monitoring for unexpected terminal websocket connections or command executions by non-administrative users can help detect exploitation attempts.

  • Use network monitoring tools (e.g., tcpdump, Wireshark) to filter traffic to /terminal/auth and /terminal/auth/ips endpoints.
  • Check application logs for websocket connections initiated by low-privileged users.
  • Audit user roles and permissions in Coolify to identify any low-privileged users accessing terminal features.
Mitigation Strategies

The primary mitigation is to upgrade Coolify to version 4.0.0-beta.471 or later, where the authorization middleware enforcing terminal access restrictions has been applied to the websocket bootstrap routes.

Until the upgrade can be performed, restrict access to the terminal websocket bootstrap endpoints (/terminal/auth and /terminal/auth/ips) to only trusted administrative users via network controls or firewall rules.

Review and tighten user permissions to ensure that only authorized administrators or owners have terminal access.

Monitor for suspicious activity on terminal websocket endpoints and consider temporarily disabling terminal features if possible.

Compliance Impact

This vulnerability allows low-privileged team members to execute arbitrary commands on team servers, potentially gaining root access and disclosing secrets. Such unauthorized access and potential data disclosure can lead to violations of confidentiality, integrity, and availability requirements mandated by common standards and regulations like GDPR and HIPAA.

Because the vulnerability enables privilege escalation and unauthorized command execution on managed servers, it increases the risk of data breaches and unauthorized data processing, which are critical compliance concerns under these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34048. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart