CVE-2026-34047: Coolify terminal WebSocket endpoints lack proper authorization checks, allowing low-privileged members to access terminal functionality and achieve remote command execution on managed hosts.
CVE-2026-34047 is verified against coollabsio/coolify · Composer affected versions: <= 4.0.0-beta.470 fixed version: 4.0.0-beta.471 vulnerability class: Auth Bypass This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00275.
pruva-verify REPRO-2026-00275 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00275/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Coolify terminal WebSocket authorization bypass (CVE-2026-34047 / GHSA-652w-qv22-2r7c). The backend terminal bootstrap routes POST /terminal/auth and POST /terminal/auth/ips only check authentication, not authorization. A low-privileged authenticated Member can call these endpoints directly, obtain terminal-enabled host IPs, generate an API token, retrieve the team SSH private key via the API, and execute commands as root on managed hosts via the WebSocket terminal backend.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.