External risk intelligence

Coolify Command Execution Vulnerability via Unauthorized Terminal Access.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-34048

Coolify is a self-hosted management platform designed to orchestrate and manage servers, applications, and databases. Such tools are commonly deployed as web-based administrative consoles or control planes, which are frequently exposed to the internet or accessible via corporate network edges to facilitate remote management.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in Coolify, an open-source server management tool, where certain terminal functions did not properly restrict access. This could allow a user with limited privileges to execute commands on team servers, potentially impacting system integrity and data confidentiality. The main concern is confirming relevance and exposure within our environment.

  • Unauthorized command execution on managed servers.
  • Confirms need for access control review.
  • Verify if our Coolify instances are affected.

Attack Path

How an attacker could exploit the issue

An attacker with low-level access to the Coolify platform could potentially gain control over a team's servers. This is possible because the terminal websocket routes do not adequately check if a user is authorized to execute commands, even if they are already logged in. Successful exploitation could lead to attackers executing arbitrary commands on servers managed by Coolify.

  • Low-privileged user can access terminal.
  • Unauthorized commands are executed on servers.
  • Complete server control is a potential risk.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, a low-privileged team member could connect to terminal routes and execute commands on team servers. This could affect system data and service behavior when this vulnerability is present.

  • System commands and data at risk.
  • Unauthorized terminal access executes commands.
  • Full system compromise of the server.

Operational Fix

Recommended remediation, mitigation, and detection steps

As Coolify is a self-hosted management tool for servers, applications, and databases, the platform or infrastructure teams responsible for its deployment and maintenance are likely the first point of contact. The initial action should be to locate all instances of Coolify, determine their exposure (internal vs. external), assess business criticality, and identify the specific application or system owners. This will enable a risk-based approach to planning remediation, potentially involving vendor coordination for updates.

  • Platform or infrastructure team ownership.
  • Verify Coolify instance exposure and criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Coolify?

Coolify is an open-source, self-hosted platform used to orchestrate and manage server infrastructure, applications, and databases. It acts as a central control plane, providing a web-based administrative interface that simplifies deployments and server monitoring for technical teams.

What does CVE-2026-34048 mean?

This CVE describes an issue involving improper authorization (CWE-285) and missing authorization for critical functions (CWE-862). In plain terms, while the system verifies a user is logged in, it fails to check if that user has specific permission to access server terminal sessions. This allows unauthorized command execution.

How can an attacker trigger this vulnerability?

An attacker must already have a low-privileged account within the Coolify platform to interact with the terminal websocket routes. The bug is triggered when that user initiates a connection to a terminal session. Simply being an unauthorized external user without any account access does not trigger this specific flaw.

Is my Coolify instance at risk?

If you host Coolify, it is highly relevant regardless of network placement. According to Halo Surface Signal, because this tool serves as an administrative control plane, it is often placed at network edges or exposed to the internet. Even if accessed only internally, the vulnerability allows any authenticated team member to escalate privileges to full server control.

How do I fix this security issue?

The primary response is to update your Coolify installation to version 4.0.0-beta.471 or later, which enforces proper authorization checks on terminal routes. Before updating, identify all your deployed instances, verify which ones are running vulnerable versions, and coordinate with your infrastructure team to apply the patch.

References