Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. Coolify CVE-2026-34047: Terminal WebSocket Authorization Bypass (CVSS 9.9)
Coolify CVE-2026-34047: Terminal WebSocket Authorization Bypass (CVSS 9.9)

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-34047

Coolify CVE-2026-34047: Terminal WebSocket Authorization Bypass (CVSS 9.9)

A critical authorization bypass in Coolify's terminal WebSocket bootstrap routes allows authenticated users to access server terminals for resources outside their team scope.

Dylan H.

Security Team

July 7, 2026
3 min read

Affected Products

  • Coolify < 4.0.0-beta.471

Executive Summary

CVE-2026-34047 is a critical authorization bypass vulnerability in Coolify, the open-source self-hostable server management platform. Rated CVSS 9.9, the flaw affects the terminal WebSocket bootstrap routes, which fail to enforce the expected authorization middleware. Any authenticated Coolify user can leverage this to access the interactive terminal for resources — servers, containers, databases — that belong to teams outside their scope.

This vulnerability is fixed in Coolify 4.0.0-beta.471.


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-34047
CVSS Score9.9 (Critical)
TypeAuthorization Bypass
ComponentTerminal WebSocket bootstrap routes
AuthenticationRequired (any authenticated user)
ScopeCross-team terminal access to servers, containers, databases
Fixed InCoolify 4.0.0-beta.471

Technical Details

Root Cause

Coolify's terminal feature exposes interactive WebSocket routes for connecting to managed server terminals and container shells. The bootstrap routes that initiate these WebSocket connections perform authentication (confirming the user is logged in) but skip the authorization middleware that restricts access to resources within the user's team.

This creates a gap:

  • Authentication ✅ — user must be logged in
  • Authorization ❌ — resource ownership is not verified

An attacker who knows (or can enumerate) the resource identifier of an out-of-scope server or container can open a WebSocket terminal session to that resource.

Attack Scenario

  1. Attacker authenticates to a shared Coolify instance (e.g., as a legitimate user of Team A)
  2. Attacker enumerates or guesses resource IDs belonging to Team B
  3. Attacker opens a terminal WebSocket connection to a Team B resource
  4. Authorization middleware is not invoked — connection succeeds
  5. Attacker has full interactive terminal access to Team B's server/container/database

Potential Impact

  • Full shell access to managed servers belonging to other teams
  • Container exec access, enabling data exfiltration or code execution
  • Database shell access — potential for direct SQL execution
  • Lateral movement across the entire infrastructure managed by the Coolify instance

Affected Versions

ProductAffected VersionsFixed Version
Coolify< 4.0.0-beta.4714.0.0-beta.471+

Remediation

Immediate Action

Upgrade Coolify to 4.0.0-beta.471 or later, which adds proper authorization checks to terminal WebSocket bootstrap routes.

# Update via install script
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash

Or update via the Coolify dashboard: Settings → Update.

Interim Mitigations (if patching is delayed)

  1. Restrict Coolify instance access: Place Coolify behind an IP allowlist or VPN — reduce the pool of users who can reach the WebSocket routes.
  2. Single-team instances: If your Coolify deployment is single-team, cross-team risk is eliminated, but upgrade is still required.
  3. Monitor WebSocket connections: Log and alert on WebSocket connections to terminal routes from unexpected source users.
  4. Disable terminal access: If the interactive terminal feature is not in active use, temporarily disable it at the application or network level.

Risk Context

The terminal feature in Coolify provides the same level of access as SSH into a managed server. An authorization bypass here is equivalent to giving any authenticated user SSH-level access to any resource in the system. In multi-tenant deployments — where Coolify is used to manage infrastructure for multiple customers — this represents a near-complete isolation failure.


Related Advisories

  • CVE-2026-34037 — Coolify IDOR Cross-Team Resource Takeover
  • CVE-2026-34048 — Coolify Low-Privilege Terminal Escalation

References

  • NVD — CVE-2026-34047
  • Coolify GitHub
#CVE-2026-34047#Coolify#Authorization Bypass#WebSocket#Terminal Access#Vulnerability

Related Articles

Coolify CVE-2026-34048: Low-Privilege Terminal Escalation via WebSocket (CVSS 9.9)

A critical privilege escalation flaw in Coolify's terminal WebSocket routes lets any low-privileged team member connect to privileged server terminals by bypassing terminal-level authorization checks.

4 min read

CVE-2026-22172: OpenClaw Critical Authorization Bypass via WebSocket Scope Elevation

A critical CVSS 9.9 authorization bypass in OpenClaw allows authenticated users to self-declare elevated scopes over WebSocket connections without...

6 min read

Coolify CVE-2026-34037: CVSS 9.9 IDOR Enables Cross-Team Resource Takeover

A critical IDOR vulnerability in Coolify's cloneTo() Livewire action allows authenticated users to clone and take over resources across team boundaries via unscoped Eloquent lookups.

3 min read
Back to all Security Alerts