CVE-2026-34047
CRITICALCoolify: WebSocket Endpoint Access Control Flaw Leading to Remote Code Execution
Title source: cnaDescription
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes did not enforce the expected authorization middleware, allowing an authenticated user to access terminal functionality for resources outside the authorized scope and potentially execute commands. This issue is fixed in version 4.0.0-beta.471.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/coollabsio/coolify/security/advisories/GHSA-652w-qv22-2r7c
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/pull/9169
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/commit/bc91b41f92f1bbb53886a5d7a60335cbf1621cd5
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471
Scores
CVSS v3
9.9
EPSS
0.0037
EPSS Percentile
29.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (1)
coollabsio/coolify
< 4.0.0-beta.471
Published
Jul 07, 2026
Tracked Since
Jul 07, 2026