CVE-2026-34048 Overview
Coolify is an open-source, self-hostable platform for managing servers, applications, and databases. Versions prior to 4.0.0-beta.471 contain a broken access control flaw in the terminal websocket bootstrap routes. These routes verify authentication but skip terminal authorization checks. Any low-privileged team member can connect to a terminal route and execute arbitrary commands on team servers. The issue is tracked under CWE-285: Improper Authorization and fixed in version 4.0.0-beta.471.
Critical Impact
A low-privileged authenticated user can execute arbitrary commands on any team server through unauthorized terminal websocket access, resulting in full compromise of managed infrastructure.
Affected Products
- Coolify versions prior to 4.0.0-beta.471
- Self-hosted Coolify deployments managing multi-user teams
- Coolify instances exposing terminal websocket routes to authenticated users
Discovery Timeline
- 2026-07-07 - CVE-2026-34048 published to NVD
- 2026-07-07 - Last updated in NVD database
- v4.0.0-beta.471 - Coolify releases patched version with authorization middleware
Technical Details for CVE-2026-34048
Vulnerability Analysis
The vulnerability resides in Coolify's terminal websocket bootstrap routes defined in routes/web.php. These routes handle authentication for interactive shell sessions on servers managed by Coolify. The route handlers verify that a request comes from a logged-in user through auth()->check(). However, they do not validate whether that user holds terminal access privileges on the target server.
Coolify implements team-based role separation with distinct permission scopes for administrators and members. The missing authorization step allows any authenticated team member, regardless of role, to bootstrap a websocket terminal session. Once the session is established, the attacker gains an interactive shell on the server with the privileges of the Coolify agent.
Root Cause
The root cause is a missing authorization middleware on the terminal.auth route and related terminal bootstrap endpoints. Authentication and authorization are conflated as a single check. The application trusts session validity as sufficient grounds to grant terminal access. This aligns with the classification under CWE-285: Improper Authorization.
Attack Vector
An attacker requires only low-privileged team credentials on a target Coolify instance. The attacker authenticates normally, then initiates a websocket connection to the terminal bootstrap route. Because the middleware chain skips terminal authorization, the server upgrades the connection and attaches a shell. The attacker can then issue arbitrary commands against any server the team manages. The scope changes from a limited application user to full server operator, which reflects the scope-changed classification of the flaw.
}
return response()->json(['authenticated' => false], 401);
- })->name('terminal.auth');
+ })->name('terminal.auth')->middleware('can.access.terminal');
Route::post('/terminal/auth/ips', function () {
if (auth()->check()) {
Source: Coolify commit 847166a — the patch attaches the can.access.terminal middleware to the terminal.auth route, enforcing per-user terminal authorization before websocket bootstrap.
Detection Methods for CVE-2026-34048
Indicators of Compromise
- Websocket connection requests to /terminal/auth or /terminal/auth/ips originating from user accounts without administrative roles.
- Unexpected shell processes spawned by the Coolify agent on managed servers outside normal deployment activity.
- New outbound connections from managed servers to attacker-controlled hosts following a terminal session.
- Audit log gaps where terminal sessions appear without corresponding role-based approval events.
Detection Strategies
- Correlate Coolify application logs with team role assignments to identify terminal sessions opened by non-admin users.
- Inspect reverse proxy or load balancer logs for HTTP 101 Switching Protocols responses on terminal routes tied to low-privileged sessions.
- Baseline expected terminal session frequency per user and alert on deviations, particularly outside business hours.
- Monitor process execution telemetry on managed hosts for shells parented by the Coolify runtime and cross-reference with authorized change tickets.
Monitoring Recommendations
- Forward Coolify web and websocket access logs to a centralized logging platform for retention and correlation.
- Enable command auditing (auditd or equivalent) on all servers registered with Coolify to record shell activity.
- Alert on any invocation of privilege escalation utilities (sudo, su, pkexec) originating from Coolify agent sessions.
How to Mitigate CVE-2026-34048
Immediate Actions Required
- Upgrade all Coolify instances to version 4.0.0-beta.471 or later without delay.
- Review team membership and revoke access for users who no longer require it, applying least privilege.
- Rotate SSH keys, API tokens, and secrets stored in Coolify if unauthorized terminal access is suspected.
- Audit shell history and command execution logs on managed servers for the period preceding the upgrade.
Patch Information
Coolify addressed the flaw in release v4.0.0-beta.471. The fix applies the can.access.terminal authorization middleware to terminal bootstrap routes, as documented in GitHub Security Advisory GHSA-mw6q-2hmg-mhxv and implemented in commit 847166a. Restart the application after upgrading to ensure route caches are rebuilt.
Workarounds
- If immediate patching is not possible, restrict access to the Coolify web interface using a network-level allowlist for administrator IPs only.
- Temporarily downgrade all non-administrator team members or suspend their accounts until the patch is applied.
- Place Coolify behind an authenticating reverse proxy that blocks /terminal/* websocket upgrade requests except for known administrator sessions.
# Upgrade Coolify to the patched release
cd /data/coolify/source
git fetch --tags
git checkout v4.0.0-beta.471
docker compose pull
docker compose up -d --force-recreate
# Verify the running version
curl -s http://localhost:8000/api/health | jq '.version'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

