CVE-2026-34047

Coollabsio · Coolify

Coolify terminal WebSocket routes fail to enforce authorization, allowing authenticated users to access and execute commands on unauthorized resources.

Executive summary

A critical authorization vulnerability in Coolify allows authenticated users to bypass scope restrictions and execute arbitrary commands, posing a severe risk of unauthorized system control.

Vulnerability

This vulnerability involves an improper authorization flaw where terminal WebSocket bootstrap routes fail to validate user permissions. An authenticated user can leverage this to access terminal functionality for resources outside their authorized scope, potentially leading to arbitrary command execution.

Business impact

The impact of this vulnerability is critical, as it allows for unauthorized lateral movement and command execution within the infrastructure managed by Coolify. Given the CVSS score of 9.9, the potential for total system compromise is extremely high, which could lead to data exfiltration, service disruption, and complete loss of integrity for the managed applications and databases.

Remediation

Immediate Action: Upgrade Coolify to version 4.0.0-beta.471 or later immediately to apply the necessary authorization middleware fixes.

Proactive Monitoring: Review system and application access logs for unusual terminal session activity or commands executed by users outside of their assigned project scopes.

Compensating Controls: If immediate patching is not possible, restrict network access to the Coolify administrative interface to trusted management subnets only to limit the attack surface.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability represents a significant security risk due to the potential for unauthorized command execution across managed environments. Organizations should prioritize upgrading to version 4.0.0-beta.471 as soon as possible to ensure proper authorization enforcement and prevent unauthorized access to critical infrastructure.