Executive Summary
CVE-2026-34048 is a critical privilege escalation vulnerability in Coolify, the open-source self-hosted server and application management platform. With a CVSS score of 9.9, the flaw exists in the terminal WebSocket bootstrap routes, which enforce user authentication but do not enforce terminal-level authorization. This allows any low-privileged team member to open terminal connections to resources they are not authorized to manage.
The vulnerability is distinct from — but related to — CVE-2026-34047 (which concerns cross-team access). CVE-2026-34048 focuses on within-team privilege escalation: even a read-only or restricted team member can reach terminals for servers and resources that should require elevated privileges.
Fixed in Coolify 4.0.0-beta.471.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-34048 |
| CVSS Score | 9.9 (Critical) |
| Type | Privilege Escalation via Missing Terminal Authorization |
| Component | Terminal WebSocket bootstrap routes |
| Authentication | Required (low-privileged team member sufficient) |
| Scope | Escalation to privileged terminal access within team |
| Fixed In | Coolify 4.0.0-beta.471 |
Technical Details
Root Cause
Coolify implements role-based access within teams — members can have different privilege levels governing what resources they can view or manage. However, the terminal WebSocket bootstrap routes enforce only that a user is authenticated as a Coolify user. They do not check whether the authenticated user holds the terminal authorization permission for the specific resource they are attempting to connect to.
This means:
- Who can exploit it: Any authenticated Coolify user who is a team member — including read-only or restricted members
- What they can do: Connect to an interactive terminal for any resource (server, container, database) within the system
- Authorization gap: The terminal permission layer is completely bypassed
Attack Scenario
- Attacker has a low-privilege account on a Coolify team (e.g., "viewer" or "developer" role)
- Attacker identifies resource IDs for servers or containers they should not have terminal access to
- Attacker initiates a terminal WebSocket connection directly to these resources
- The bootstrap route checks authentication only — terminal authorization is not evaluated
- Attacker achieves interactive shell access to the target resource
Compared to CVE-2026-34047
| Aspect | CVE-2026-34047 | CVE-2026-34048 |
|---|---|---|
| Scope | Cross-team access | Within-team privilege escalation |
| Attacker position | Any authenticated user | Low-privileged team member |
| Authorization gap | Missing team-scoped middleware | Missing terminal permission check |
| Fixed in | 4.0.0-beta.471 | 4.0.0-beta.471 |
Both vulnerabilities share the same fix version and the same underlying pattern: terminal WebSocket bootstrap routes that skip authorization.
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Coolify | < 4.0.0-beta.471 | 4.0.0-beta.471+ |
Remediation
Immediate Action
Upgrade Coolify to 4.0.0-beta.471 or later.
# Update via install script
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bashOr update via the Coolify dashboard: Settings → Update.
Interim Mitigations
- Audit team membership: Remove untrusted or unnecessary team members from your Coolify instance.
- Minimize low-privilege accounts: Until patched, low-privilege accounts effectively have terminal-level access — treat all team members as if they have full terminal access.
- Network restriction: Restrict Coolify access to known, trusted IPs where possible.
- Monitor terminal WebSocket connections: Alert on terminal WebSocket connections from users without expected elevated permissions.
Risk Context
Coolify's team permission model is designed to allow safe delegation — for example, giving developers deployment access without granting them SSH-level server control. CVE-2026-34048 completely undermines this model. Any team member, regardless of assigned role, can reach the server terminal and execute arbitrary commands on managed infrastructure.
For organizations using Coolify to give external developers or clients limited access to their deployments, this vulnerability represents a full infrastructure compromise risk from any team account.
Related Advisories
- CVE-2026-34037 — Coolify IDOR Cross-Team Resource Takeover
- CVE-2026-34047 — Coolify Terminal WebSocket Authorization Bypass