Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Authenticated user needed so PR:L; network-reachable low-complexity WebSocket route with no interaction; terminal command execution on out-of-scope hosts crosses the authorization boundary giving S:C and full C/I/A impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes did not enforce the expected authorization middleware, allowing an authenticated user to access terminal functionality for resources outside the authorized scope and potentially execute commands. This issue is fixed in version 4.0.0-beta.471.
AnalysisAI
Privilege escalation via broken authorization in Coolify's self-hosted server/application management platform lets any authenticated low-privilege user reach terminal WebSocket functionality for resources outside their authorized scope, prior to version 4.0.0-beta.471. Because the terminal bootstrap routes skipped the expected authorization middleware, an attacker with a valid account can potentially execute commands on servers and containers they should not control. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid authenticated Coolify account (CVSS PR:L) and be able to reach the terminal WebSocket bootstrap routes over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely aligned toward high priority but with important nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged but authenticated user on a shared Coolify instance - for example a developer scoped to a single project - sends a crafted terminal WebSocket bootstrap request naming a server or container belonging to another team. Because the authorization middleware is not enforced on that route, the session is established against the out-of-scope resource, and the attacker gains an interactive terminal to execute commands on hosts they were never granted access to. … |
| Remediation | Upgrade to Coolify 4.0.0-beta.471 or later, which restores the missing authorization middleware on the terminal WebSocket bootstrap routes (Vendor-released patch: 4.0.0-beta.471); see the advisory at https://github.com/coollabsio/coolify/security/advisories/GHSA-652w-qv22-2r7c and release https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Coolify deployments and identify current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41981