Executive Summary
CVE-2026-34047 is a critical authorization bypass vulnerability in Coolify, the open-source self-hostable server management platform. Rated CVSS 9.9, the flaw affects the terminal WebSocket bootstrap routes, which fail to enforce the expected authorization middleware. Any authenticated Coolify user can leverage this to access the interactive terminal for resources — servers, containers, databases — that belong to teams outside their scope.
This vulnerability is fixed in Coolify 4.0.0-beta.471.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-34047 |
| CVSS Score | 9.9 (Critical) |
| Type | Authorization Bypass |
| Component | Terminal WebSocket bootstrap routes |
| Authentication | Required (any authenticated user) |
| Scope | Cross-team terminal access to servers, containers, databases |
| Fixed In | Coolify 4.0.0-beta.471 |
Technical Details
Root Cause
Coolify's terminal feature exposes interactive WebSocket routes for connecting to managed server terminals and container shells. The bootstrap routes that initiate these WebSocket connections perform authentication (confirming the user is logged in) but skip the authorization middleware that restricts access to resources within the user's team.
This creates a gap:
- Authentication ✅ — user must be logged in
- Authorization ❌ — resource ownership is not verified
An attacker who knows (or can enumerate) the resource identifier of an out-of-scope server or container can open a WebSocket terminal session to that resource.
Attack Scenario
- Attacker authenticates to a shared Coolify instance (e.g., as a legitimate user of Team A)
- Attacker enumerates or guesses resource IDs belonging to Team B
- Attacker opens a terminal WebSocket connection to a Team B resource
- Authorization middleware is not invoked — connection succeeds
- Attacker has full interactive terminal access to Team B's server/container/database
Potential Impact
- Full shell access to managed servers belonging to other teams
- Container exec access, enabling data exfiltration or code execution
- Database shell access — potential for direct SQL execution
- Lateral movement across the entire infrastructure managed by the Coolify instance
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Coolify | < 4.0.0-beta.471 | 4.0.0-beta.471+ |
Remediation
Immediate Action
Upgrade Coolify to 4.0.0-beta.471 or later, which adds proper authorization checks to terminal WebSocket bootstrap routes.
# Update via install script
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bashOr update via the Coolify dashboard: Settings → Update.
Interim Mitigations (if patching is delayed)
- Restrict Coolify instance access: Place Coolify behind an IP allowlist or VPN — reduce the pool of users who can reach the WebSocket routes.
- Single-team instances: If your Coolify deployment is single-team, cross-team risk is eliminated, but upgrade is still required.
- Monitor WebSocket connections: Log and alert on WebSocket connections to terminal routes from unexpected source users.
- Disable terminal access: If the interactive terminal feature is not in active use, temporarily disable it at the application or network level.
Risk Context
The terminal feature in Coolify provides the same level of access as SSH into a managed server. An authorization bypass here is equivalent to giving any authenticated user SSH-level access to any resource in the system. In multi-tenant deployments — where Coolify is used to manage infrastructure for multiple customers — this represents a near-complete isolation failure.
Related Advisories
- CVE-2026-34037 — Coolify IDOR Cross-Team Resource Takeover
- CVE-2026-34048 — Coolify Low-Privilege Terminal Escalation