Authorization Bypass in Coolify WebSocket Functionality
CVE-2026-34047

9.9CRITICAL

Key Information:

Vendor

Coollabsio

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-34047?

Coolify, an open-source tool for server and application management, has a vulnerability affecting its terminal WebSocket bootstrap routes. This issue allows authenticated users to bypass authorization checks and access terminal functionalities for unauthorized resources, potentially enabling them to execute commands outside their designated scope. The flaw has been addressed in version 4.0.0-beta.471, and users are advised to update their installations promptly to mitigate the risk.

Affected Version(s)

coolify < 4.0.0-beta.471

References

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.