Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34048

CVE-2026-34048: Coolify Auth Bypass Vulnerability

CVE-2026-34048 is an authentication bypass flaw in Coolify that allows low-privileged team members to execute commands on team servers via terminal websockets. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-34048 Overview

Coolify is an open-source, self-hostable platform for managing servers, applications, and databases. Versions prior to 4.0.0-beta.471 contain a broken access control flaw in the terminal websocket bootstrap routes. These routes verify authentication but skip terminal authorization checks. Any low-privileged team member can connect to a terminal route and execute arbitrary commands on team servers. The issue is tracked under CWE-285: Improper Authorization and fixed in version 4.0.0-beta.471.

Critical Impact

A low-privileged authenticated user can execute arbitrary commands on any team server through unauthorized terminal websocket access, resulting in full compromise of managed infrastructure.

Affected Products

  • Coolify versions prior to 4.0.0-beta.471
  • Self-hosted Coolify deployments managing multi-user teams
  • Coolify instances exposing terminal websocket routes to authenticated users

Discovery Timeline

  • 2026-07-07 - CVE-2026-34048 published to NVD
  • 2026-07-07 - Last updated in NVD database
  • v4.0.0-beta.471 - Coolify releases patched version with authorization middleware

Technical Details for CVE-2026-34048

Vulnerability Analysis

The vulnerability resides in Coolify's terminal websocket bootstrap routes defined in routes/web.php. These routes handle authentication for interactive shell sessions on servers managed by Coolify. The route handlers verify that a request comes from a logged-in user through auth()->check(). However, they do not validate whether that user holds terminal access privileges on the target server.

Coolify implements team-based role separation with distinct permission scopes for administrators and members. The missing authorization step allows any authenticated team member, regardless of role, to bootstrap a websocket terminal session. Once the session is established, the attacker gains an interactive shell on the server with the privileges of the Coolify agent.

Root Cause

The root cause is a missing authorization middleware on the terminal.auth route and related terminal bootstrap endpoints. Authentication and authorization are conflated as a single check. The application trusts session validity as sufficient grounds to grant terminal access. This aligns with the classification under CWE-285: Improper Authorization.

Attack Vector

An attacker requires only low-privileged team credentials on a target Coolify instance. The attacker authenticates normally, then initiates a websocket connection to the terminal bootstrap route. Because the middleware chain skips terminal authorization, the server upgrades the connection and attaches a shell. The attacker can then issue arbitrary commands against any server the team manages. The scope changes from a limited application user to full server operator, which reflects the scope-changed classification of the flaw.

php
         }
 
         return response()->json(['authenticated' => false], 401);
-    })->name('terminal.auth');
+    })->name('terminal.auth')->middleware('can.access.terminal');
 
     Route::post('/terminal/auth/ips', function () {
         if (auth()->check()) {

Source: Coolify commit 847166a — the patch attaches the can.access.terminal middleware to the terminal.auth route, enforcing per-user terminal authorization before websocket bootstrap.

Detection Methods for CVE-2026-34048

Indicators of Compromise

  • Websocket connection requests to /terminal/auth or /terminal/auth/ips originating from user accounts without administrative roles.
  • Unexpected shell processes spawned by the Coolify agent on managed servers outside normal deployment activity.
  • New outbound connections from managed servers to attacker-controlled hosts following a terminal session.
  • Audit log gaps where terminal sessions appear without corresponding role-based approval events.

Detection Strategies

  • Correlate Coolify application logs with team role assignments to identify terminal sessions opened by non-admin users.
  • Inspect reverse proxy or load balancer logs for HTTP 101 Switching Protocols responses on terminal routes tied to low-privileged sessions.
  • Baseline expected terminal session frequency per user and alert on deviations, particularly outside business hours.
  • Monitor process execution telemetry on managed hosts for shells parented by the Coolify runtime and cross-reference with authorized change tickets.

Monitoring Recommendations

  • Forward Coolify web and websocket access logs to a centralized logging platform for retention and correlation.
  • Enable command auditing (auditd or equivalent) on all servers registered with Coolify to record shell activity.
  • Alert on any invocation of privilege escalation utilities (sudo, su, pkexec) originating from Coolify agent sessions.

How to Mitigate CVE-2026-34048

Immediate Actions Required

  • Upgrade all Coolify instances to version 4.0.0-beta.471 or later without delay.
  • Review team membership and revoke access for users who no longer require it, applying least privilege.
  • Rotate SSH keys, API tokens, and secrets stored in Coolify if unauthorized terminal access is suspected.
  • Audit shell history and command execution logs on managed servers for the period preceding the upgrade.

Patch Information

Coolify addressed the flaw in release v4.0.0-beta.471. The fix applies the can.access.terminal authorization middleware to terminal bootstrap routes, as documented in GitHub Security Advisory GHSA-mw6q-2hmg-mhxv and implemented in commit 847166a. Restart the application after upgrading to ensure route caches are rebuilt.

Workarounds

  • If immediate patching is not possible, restrict access to the Coolify web interface using a network-level allowlist for administrator IPs only.
  • Temporarily downgrade all non-administrator team members or suspend their accounts until the patch is applied.
  • Place Coolify behind an authenticating reverse proxy that blocks /terminal/* websocket upgrade requests except for known administrator sessions.
bash
# Upgrade Coolify to the patched release
cd /data/coolify/source
git fetch --tags
git checkout v4.0.0-beta.471
docker compose pull
docker compose up -d --force-recreate

# Verify the running version
curl -s http://localhost:8000/api/health | jq '.version'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.