- Product: coollabsio coolify
- Vulnerabilities: 4 flaws (CVE-2026-34037, CVE-2026-57498, CVE-2026-34048, CVE-2026-34047)
- Highest severity: 9.9 (Critical · CVSSv3)
- Worst impact: Cross-Tenant Resource Cloning via Broken Object-Level Authorization in cloneTo()
- Status: No confirmed exploitation yet
- Action: See vendor advisories
| CVE | CVSS | Type | Status |
|---|---|---|---|
| CVE-2026-34037 | 9.9 | CWE-639 | Not exploited |
| CVE-2026-34048 | 9.9 | CWE-285 | Not exploited |
| CVE-2026-34047 | 9.9 | CWE-863 | Not exploited |
| CVE-2026-57498 | 9.6 | CWE-639 | Not exploited |
TL;DR
Four critical Coolify vulnerabilities now have patches. Three score CVSS 9.9, and they let low-privileged members reach remote code execution as root. The maintainers fixed them across several beta releases, so update without delay.
Why It Matters
Coolify runs privileged operations on your servers over SSH. It manages containers, databases, and deployments, often as the root user. Therefore, a single broken authorization check can hand attackers real infrastructure.
The exposure is large. Censys counted roughly 52,890 public Coolify instances in early January 2026. Many of those run shared, multi-team deployments. In those setups, these Coolify vulnerabilities erase the boundaries between tenants.
The blast radius reaches beyond one app. A successful attacker can run containers, read secrets, and pivot across managed hosts. That turns a self-hosting convenience into a serious risk.
How the Attacks Work
Each flaw shares one root cause: missing team-level authorization. The API checks ownership correctly, yet several web components skip the same check.
Cross-Tenant Cloning and IDOR
CVE-2026-34037 sits in the cloneTo() action. It authorizes the source resource but never scopes the destination to your team. As a result, a member can clone apps, databases, and services onto another team’s server. Deploying that clone then runs attacker-chosen containers on the victim host.
CVE-2026-57498 follows the same pattern. Multiple Livewire components accept server and destination IDs straight from the URL, without any team validation.
Terminal Takeover and RCE
CVE-2026-34048 and CVE-2026-34047 target the terminal websocket. The interface limits terminal access to admins. However, the websocket bootstrap routes only confirm that a user is logged in. A low-privileged member can therefore open an admin-only session and execute commands on team servers.
The path is practical, not just theoretical. A regular member can gather the needed inputs from ordinary pages, since server UUIDs, connection fields, and key IDs all appear in normal views. In a reproduced chain, the attacker retrieves the host SSH key and gains root.
Affected Versions
The clone flaw, CVE-2026-34037, affects versions below 4.0.0-beta.464. Both terminal flaws, CVE-2026-34048 and CVE-2026-34047, affect 4.0.0-beta.470 and earlier. The cross-team IDOR, CVE-2026-57498, affects releases before 4.0.0-beta.474.
Researchers reproduced the terminal attack in a lab and reached root. So far, though, no in-the-wild exploitation has been confirmed, and no public exploit code has appeared.
Patch and Mitigation
Upgrade first. Move to the latest build on the official Coolify releases page, which rolls up every fix. The terminal patch now enforces the same authorization boundary on the bootstrap routes that the UI already applies.
Next, tighten your roles. Review who holds Member access, and reduce terminal-enabled servers where you can. Also limit which SSH keys stay visible to ordinary members, because that visibility widens the attack path.
For the full technical detail, read the official Coolify security advisories. Above all, treat these Coolify vulnerabilities as urgent, because each one crosses from the app straight into your live infrastructure.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.