CVE-2025-59955
Information Disclosure in Coolify API Exposes Email Change Codes
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coollabsio | coolify | to 4.0.0-beta.420.8 (inc) |
| coollabsio | coolify | 4.0.0-beta.428 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| CWE-212 | The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. |
| CWE-214 | A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59955 is an information disclosure vulnerability in Coolify versions up to v4.0.0-beta.420.8. Authenticated team members can access a sensitive field called `email_change_code` from other users on the same team via the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints. This code is a single-use verification token for email address changes and should be kept secret. The vulnerability occurs because the API returns the full user data including this sensitive code without properly redacting it. An attacker with team access can retrieve this code and use it to perform unauthorized email address changes on behalf of victims. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker who is an authenticated member of a team to obtain the `email_change_code` of other users. With this code, the attacker can hijack the victim's email change process, changing the victim's email address to one controlled by the attacker. This can lead to unauthorized account access, including the ability to reset passwords and access private projects and data within Coolify, compromising user privacy and security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by making authenticated GET requests to the affected API endpoints `/api/v1/teams/{team_id}/members` or `/api/v1/teams/current/members` and inspecting the JSON response for the presence of the sensitive `email_change_code` field in the user data. For example, you can use curl commands like: `curl -H "Authorization: Bearer <token>" https://<coolify-server>/api/v1/teams/current/members` and check if the response includes the `email_change_code` field for any team member. Presence of this field indicates the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Since no patched versions are currently available, immediate mitigation steps include restricting access to the affected API endpoints to only highly trusted users, monitoring API usage for suspicious activity, and avoiding initiating email changes until a fix is released. Additionally, consider auditing team membership to limit the number of users who can authenticate and access these endpoints. Implementing network-level controls or API gateway rules to block or monitor requests to `/api/v1/teams/*/members` endpoints may also help reduce risk. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes sensitive user information (the single-use email_change_code) to authenticated team members, which compromises user privacy and security. Such unauthorized disclosure of sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized access and ensure data confidentiality. Therefore, the vulnerability negatively impacts compliance with these common standards and regulations by risking unauthorized access to protected user data. [1]