CVE-2025-59955
Unknown Unknown - Not Provided
Information Disclosure in Coolify API Exposes Email Change Codes

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: GitHub, Inc.

Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints allows authenticated team members to access a highly sensitive `email_change_code` from other users on the same team. This code is intended for a single-use email change verification and should be kept secret. Its exposure could enable a malicious actor to perform an unauthorized email address change on behalf of the victim. As of time of publication, no known patched versions exist.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59955
EUVD
EUVD-2025-206247
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.420.8 (inc)
coollabsio coolify 4.0.0-beta.428
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
CWE-214 A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.
CWE-212 The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59955 is an information disclosure vulnerability in Coolify versions up to v4.0.0-beta.420.8. Authenticated team members can access a sensitive field called `email_change_code` from other users on the same team via the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints. This code is a single-use verification token for email address changes and should be kept secret. The vulnerability occurs because the API returns the full user data including this sensitive code without properly redacting it. An attacker with team access can retrieve this code and use it to perform unauthorized email address changes on behalf of victims. [1]

Impact Analysis

This vulnerability can allow an attacker who is an authenticated member of a team to obtain the `email_change_code` of other users. With this code, the attacker can hijack the victim's email change process, changing the victim's email address to one controlled by the attacker. This can lead to unauthorized account access, including the ability to reset passwords and access private projects and data within Coolify, compromising user privacy and security. [1]

Detection Guidance

This vulnerability can be detected by making authenticated GET requests to the affected API endpoints `/api/v1/teams/{team_id}/members` or `/api/v1/teams/current/members` and inspecting the JSON response for the presence of the sensitive `email_change_code` field in the user data. For example, you can use curl commands like: `curl -H "Authorization: Bearer <token>" https://<coolify-server>/api/v1/teams/current/members` and check if the response includes the `email_change_code` field for any team member. Presence of this field indicates the vulnerability. [1]

Mitigation Strategies

Since no patched versions are currently available, immediate mitigation steps include restricting access to the affected API endpoints to only highly trusted users, monitoring API usage for suspicious activity, and avoiding initiating email changes until a fix is released. Additionally, consider auditing team membership to limit the number of users who can authenticate and access these endpoints. Implementing network-level controls or API gateway rules to block or monitor requests to `/api/v1/teams/*/members` endpoints may also help reduce risk. [1]

Compliance Impact

This vulnerability exposes sensitive user information (the single-use email_change_code) to authenticated team members, which compromises user privacy and security. Such unauthorized disclosure of sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized access and ensure data confidentiality. Therefore, the vulnerability negatively impacts compliance with these common standards and regulations by risking unauthorized access to protected user data. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59955. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart