Skip to main content

Coolify CVE-2026-34048

| EUVDEUVD-2026-41995 CRITICAL
Improper Authorization (CWE-285)
2026-07-07 GitHub_M
9.9
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable websocket route, low complexity, exploitable by an already-authenticated low-privilege team member (PR:L), no interaction; command execution on managed hosts crosses a trust boundary (S:C) with full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 07, 2026 - 05:01 EUVD
Analysis Generated
Jul 07, 2026 - 04:03 vuln.today

DescriptionCVE.org

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes and execute commands on team servers. This issue is fixed in version 4.0.0-beta.471.

AnalysisAI

Improper authorization in Coolify's terminal websocket bootstrap routes lets any low-privileged team member execute arbitrary commands on team-managed servers, because the routes verify only that a request is authenticated but never check whether the caller is authorized to use the terminal. Affecting all Coolify versions prior to 4.0.0-beta.471, this CWE-285 flaw carries a critical 9.9 CVSS score with a scope change, effectively granting shell access to underlying infrastructure from a minimal application role. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged team member
Delivery
Open websocket to terminal bootstrap route
Exploit
Bypass missing authorization check
Execution
Execute commands on team server
Impact
Access secrets and pivot to host

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Coolify account that is a member of the target team but holds only low privileges (PR:L) - no administrator or terminal-authorized role is needed, and no user interaction is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals align toward genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user holding only a basic role in a Coolify team crafts a websocket connection directly to a terminal bootstrap route that they were never granted terminal access to. Because the route checks only that they are logged in, the connection succeeds and they run shell commands on the team's managed servers - reading secrets, altering deployments, or pivoting into the host. …
Remediation Vendor-released patch: 4.0.0-beta.471 - upgrade all Coolify instances to v4.0.0-beta.471 or later, which adds the missing terminal authorization enforcement (see release https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471, advisory https://github.com/coollabsio/coolify/security/advisories/GHSA-mw6q-2hmg-mhxv, and fix commit 847166a3f89b7c80972fa0d2e5c754976f95b6ad). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Restrict terminal WebSocket access to administrator roles only using Coolify's role-based access controls; audit current team membership and remove unnecessary elevated access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-59157 CRITICAL POC
9.9 Jan 05

Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo

CVE-2025-66209 CRITICAL POC
9.9 Dec 23

A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application

CVE-2025-64420 CRITICAL POC
9.9 Jan 05

Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba

CVE-2026-57498 CRITICAL POC
9.6 Jun 29

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,

CVE-2025-64419 CRITICAL POC
9.6 Jan 05

Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap

CVE-2025-34161 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo

CVE-2025-34159 CRITICAL POC
9.4 Aug 27

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d

CVE-2026-34594 HIGH POC
8.8 Jun 29

Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss

CVE-2026-34597 HIGH POC
8.8 Jun 29

Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica

CVE-2025-64424 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]

CVE-2025-59156 HIGH POC
8.8 Jan 05

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0

CVE-2025-66211 HIGH POC
8.8 Dec 23

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers

Share

CVE-2026-34048 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy