Authorization Bypass in Coolify Affects Server Management Capabilities
CVE-2026-34048
9.9CRITICAL
What is CVE-2026-34048?
Coolify, an open-source tool designed for managing servers, applications, and databases, has a vulnerability that affects its terminal websocket bootstrap routes. Before version 4.0.0-beta.471, these routes only required user authentication without enforcing proper terminal authorization. This loophole could enable low-privileged users to gain access to terminal commands, potentially allowing them to execute arbitrary commands on team servers. This issue has been addressed in the release of version 4.0.0-beta.471, which enforces necessary terminal authorizations.
Affected Version(s)
coolify < 4.0.0-beta.471
