CVE-2026-34047

CRITICAL

Coolify: WebSocket Endpoint Access Control Flaw Leading to Remote Code Execution

Title source: cna
STIX 2.1

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes did not enforce the expected authorization middleware, allowing an authenticated user to access terminal functionality for resources outside the authorized scope and potentially execute commands. This issue is fixed in version 4.0.0-beta.471.

Scores

CVSS v3 9.9
EPSS 0.0037
EPSS Percentile 29.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-863
Status published
Products (1)
coollabsio/coolify < 4.0.0-beta.471
Published Jul 07, 2026
Tracked Since Jul 07, 2026