External risk intelligence

Coolify Terminal WebSocket Authorization Bypass Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-34047

Coolify is a self-hosted management platform for servers and applications. As a centralized dashboard designed to control and monitor infrastructure, it is frequently deployed as an internet-facing web service to allow remote management, making the terminal and API endpoints reachable from the network.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability in Coolify, a server management tool, could allow authenticated users to access unauthorized resources and execute commands. This issue arises because certain terminal functions did not properly enforce authorization.

  • Unauthorized access to server resources is possible.
  • Impacts systems managing servers and applications.
  • Confirm relevance and check for potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker with authenticated access to Coolify could exploit this vulnerability by targeting the terminal WebSocket routes. These routes, due to a lack of proper authorization checks, would allow the attacker to access and potentially execute commands on server resources that they should not have access to, leading to a significant compromise of the system.

  • Authenticated user access required.
  • Terminal WebSocket routes trigger vulnerability.
  • Unauthorized command execution risk.

Live Threat

Current exploitation, exposure, and threat context

An authenticated user could gain unauthorized access to terminal functionality, potentially allowing them to execute commands on resources beyond their designated scope when the system is accessible over a network.

  • Server command execution.
  • Unauthorized terminal access.
  • System compromise and data manipulation.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams managing the Coolify instance and the underlying infrastructure are responsible for addressing this vulnerability. The first step is to identify all deployed Coolify instances, confirm their reachability and business criticality, and then determine the accountable owner for each. Planning remediation should follow, prioritizing instances based on their assessed risk.

  • Own the Coolify instance and its infrastructure.
  • Verify Coolify instance reachability and criticality.
  • Plan and execute necessary updates or controls.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Coolify?

Coolify is an open-source, self-hosted platform that provides a centralized interface for managing servers, applications, and databases. It simplifies infrastructure tasks by acting as a dashboard where users can monitor and control various deployments, effectively serving as a management layer that sits on top of your existing server environment.

What is the vulnerability in CVE-2026-34047?

This vulnerability is classified as CWE-863, which refers to incorrect authorization. In plain English, the software fails to properly verify if a user has permission to perform a specific action. Specifically for this CVE, the terminal WebSocket routes do not check if a user is authorized to access certain resources, allowing them to perform actions outside of their allowed scope.

How is this vulnerability triggered?

An attacker triggers this by interacting with the terminal WebSocket bootstrap routes within Coolify. Note that this requires the attacker to already have valid authenticated access to the system. It is not triggered by users who lack any authentication, nor does it apply to standard dashboard navigation that does not involve these specific terminal connection paths.

Why should I care about CVE-2026-34047?

According to Halo Surface Signal, Coolify is often deployed as an internet-facing web service to facilitate remote infrastructure management. If your instance is reachable over the network, the combination of widespread access and the potential for unauthorized command execution on the underlying server makes this a critical security concern for any organization using the software.

What is the first step to address this?

Your primary action is to update your Coolify instance to version 4.0.0-beta.471 or newer, as this release includes the necessary authorization middleware to secure the terminal routes. Start by creating an inventory of all your running instances, verifying which are accessible over the network, and coordinating with the relevant owners to apply the update.

References