Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. Coolify CVE-2026-34048: Low-Privilege Terminal Escalation via WebSocket (CVSS 9.9)
Coolify CVE-2026-34048: Low-Privilege Terminal Escalation via WebSocket (CVSS 9.9)

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-34048

Coolify CVE-2026-34048: Low-Privilege Terminal Escalation via WebSocket (CVSS 9.9)

A critical privilege escalation flaw in Coolify's terminal WebSocket routes lets any low-privileged team member connect to privileged server terminals by bypassing terminal-level authorization checks.

Dylan H.

Security Team

July 7, 2026
4 min read

Affected Products

  • Coolify < 4.0.0-beta.471

Executive Summary

CVE-2026-34048 is a critical privilege escalation vulnerability in Coolify, the open-source self-hosted server and application management platform. With a CVSS score of 9.9, the flaw exists in the terminal WebSocket bootstrap routes, which enforce user authentication but do not enforce terminal-level authorization. This allows any low-privileged team member to open terminal connections to resources they are not authorized to manage.

The vulnerability is distinct from — but related to — CVE-2026-34047 (which concerns cross-team access). CVE-2026-34048 focuses on within-team privilege escalation: even a read-only or restricted team member can reach terminals for servers and resources that should require elevated privileges.

Fixed in Coolify 4.0.0-beta.471.


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-34048
CVSS Score9.9 (Critical)
TypePrivilege Escalation via Missing Terminal Authorization
ComponentTerminal WebSocket bootstrap routes
AuthenticationRequired (low-privileged team member sufficient)
ScopeEscalation to privileged terminal access within team
Fixed InCoolify 4.0.0-beta.471

Technical Details

Root Cause

Coolify implements role-based access within teams — members can have different privilege levels governing what resources they can view or manage. However, the terminal WebSocket bootstrap routes enforce only that a user is authenticated as a Coolify user. They do not check whether the authenticated user holds the terminal authorization permission for the specific resource they are attempting to connect to.

This means:

  • Who can exploit it: Any authenticated Coolify user who is a team member — including read-only or restricted members
  • What they can do: Connect to an interactive terminal for any resource (server, container, database) within the system
  • Authorization gap: The terminal permission layer is completely bypassed

Attack Scenario

  1. Attacker has a low-privilege account on a Coolify team (e.g., "viewer" or "developer" role)
  2. Attacker identifies resource IDs for servers or containers they should not have terminal access to
  3. Attacker initiates a terminal WebSocket connection directly to these resources
  4. The bootstrap route checks authentication only — terminal authorization is not evaluated
  5. Attacker achieves interactive shell access to the target resource

Compared to CVE-2026-34047

AspectCVE-2026-34047CVE-2026-34048
ScopeCross-team accessWithin-team privilege escalation
Attacker positionAny authenticated userLow-privileged team member
Authorization gapMissing team-scoped middlewareMissing terminal permission check
Fixed in4.0.0-beta.4714.0.0-beta.471

Both vulnerabilities share the same fix version and the same underlying pattern: terminal WebSocket bootstrap routes that skip authorization.


Affected Versions

ProductAffected VersionsFixed Version
Coolify< 4.0.0-beta.4714.0.0-beta.471+

Remediation

Immediate Action

Upgrade Coolify to 4.0.0-beta.471 or later.

# Update via install script
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash

Or update via the Coolify dashboard: Settings → Update.

Interim Mitigations

  1. Audit team membership: Remove untrusted or unnecessary team members from your Coolify instance.
  2. Minimize low-privilege accounts: Until patched, low-privilege accounts effectively have terminal-level access — treat all team members as if they have full terminal access.
  3. Network restriction: Restrict Coolify access to known, trusted IPs where possible.
  4. Monitor terminal WebSocket connections: Alert on terminal WebSocket connections from users without expected elevated permissions.

Risk Context

Coolify's team permission model is designed to allow safe delegation — for example, giving developers deployment access without granting them SSH-level server control. CVE-2026-34048 completely undermines this model. Any team member, regardless of assigned role, can reach the server terminal and execute arbitrary commands on managed infrastructure.

For organizations using Coolify to give external developers or clients limited access to their deployments, this vulnerability represents a full infrastructure compromise risk from any team account.


Related Advisories

  • CVE-2026-34037 — Coolify IDOR Cross-Team Resource Takeover
  • CVE-2026-34047 — Coolify Terminal WebSocket Authorization Bypass

References

  • NVD — CVE-2026-34048
  • Coolify GitHub
#CVE-2026-34048#Coolify#Privilege Escalation#WebSocket#Terminal Access#Vulnerability

Related Articles

Coolify CVE-2026-34047: Terminal WebSocket Authorization Bypass (CVSS 9.9)

A critical authorization bypass in Coolify's terminal WebSocket bootstrap routes allows authenticated users to access server terminals for resources outside their team scope.

3 min read

Coolify CVE-2026-34037: CVSS 9.9 IDOR Enables Cross-Team Resource Takeover

A critical IDOR vulnerability in Coolify's cloneTo() Livewire action allows authenticated users to clone and take over resources across team boundaries via unscoped Eloquent lookups.

3 min read

CVE-2026-22172: OpenClaw Critical Authorization Bypass via WebSocket Scope Elevation

A critical CVSS 9.9 authorization bypass in OpenClaw allows authenticated users to self-declare elevated scopes over WebSocket connections without...

6 min read
Back to all Security Alerts