CVE-2026-34048

Coollabsio · Coolify

Coolify terminal WebSocket routes fail to enforce team-based authorization, enabling low-privileged team members to execute commands on servers belonging to other teams.

Executive summary

A critical missing authorization flaw in Coolify allows low-privileged users to execute commands on unauthorized servers, creating a high risk of cross-team privilege escalation.

Vulnerability

The vulnerability exists because terminal WebSocket bootstrap routes only verify general authentication rather than specific team-based authorization. This allows a low-privileged user to establish terminal connections to resources they are not permitted to access, facilitating unauthorized command execution.

Business impact

With a CVSS score of 9.9, this vulnerability carries severe business risk, including the potential for cross-team data compromise and unauthorized infrastructure manipulation. If exploited, a malicious insider or compromised low-privileged account could gain control over servers they are not authorized to manage, leading to significant security breaches and operational disruption.

Remediation

Immediate Action: Update Coolify to version 4.0.0-beta.471 or later to enforce mandatory terminal authorization checks.

Proactive Monitoring: Monitor logs for unauthorized terminal connection attempts or unexpected shell activity initiated by low-privileged user accounts.

Compensating Controls: Implement strict network-level segmentation to isolate team environments, reducing the ability for cross-resource terminal connections if the application layer is compromised.

Exploitation status

Public Exploit Available: False

Analyst recommendation

The missing authorization control in Coolify presents an urgent security risk that must be addressed. Administrators should deploy the provided update immediately to ensure that terminal access is correctly gated by team permissions and to prevent unauthorized command execution across the server fleet.