← back
CVE-2026-34048

Coolify: Missing authorization on terminal websocket bootstrap routes allows low-privileged members to execute commands on team servers

CVSS 9.9 CRITICALEPSS 0.4%CWE-285CWE-862
Vexday Risk Score
48Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Public proof of concept exists, but not yet automated.
CVSS 9.9EPSS 0.4%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
07 Jul 2026Published on NVD
13 Jul 2026Public PoC
Weaponization speed
6 daysto first PoC
Weaponized quickly — attackers prioritized this vulnerability. Patch urgently.
Recommendation: Plan a near-term fix — a public PoC already exists.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes and execute commands on team servers. This issue is fixed in version 4.0.0-beta.471.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
coollabsio · coolify
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.