CVE-2025-59955: CWE-201: Insertion of Sensitive Information Into Sent Data in coollabsio coolify
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints allows authenticated team members to access a highly sensitive `email_change_code` from other users on the same team. This code is intended for a single-use email change verification and should be kept secret. Its exposure could enable a malicious actor to perform an unauthorized email address change on behalf of the victim. As of time of publication, no known patched versions exist.
AI Analysis
Technical Summary
CVE-2025-59955 is a medium severity information disclosure vulnerability affecting Coolify, an open-source, self-hostable platform for managing servers, applications, and databases. The flaw exists in versions up to and including 4.0.0-beta.428 and involves the exposure of a sensitive single-use email change verification code via the API endpoints /api/v1/teams/{team_id}/members and /api/v1/teams/current/members. Authenticated team members can retrieve the 'email_change_code' belonging to other users on the same team, which should remain confidential to prevent unauthorized email address changes. This code is critical because it verifies ownership during email change requests, and its disclosure could allow an attacker to hijack user accounts by changing their registered email addresses without consent. The vulnerability arises from improper handling and insertion of sensitive information into API responses, violating secure information disclosure principles (CWE-201). Exploitation requires the attacker to be authenticated as a team member but does not require elevated privileges or user interaction, making it relatively easy to exploit within compromised teams. No patches or fixes are currently available, and no known exploits have been observed in the wild. The CVSS 4.0 vector indicates network attack vector, low complexity, no privileges required beyond team membership, no user interaction, and a high impact on confidentiality, resulting in a score of 5.7. This vulnerability could facilitate unauthorized account access, potentially leading to further privilege escalation or lateral movement within an organization’s infrastructure managed by Coolify.
Potential Impact
For European organizations using Coolify, this vulnerability poses a significant risk to the confidentiality and integrity of user accounts within teams. Unauthorized access to the email change verification code can lead to unauthorized email changes, effectively enabling account takeover. This could result in loss of control over critical server and application management functions, data exposure, and potential disruption of services. Since Coolify manages servers, applications, and databases, compromised accounts could be leveraged to alter configurations, deploy malicious code, or exfiltrate sensitive data. The impact is heightened in environments where Coolify is used to manage critical infrastructure or sensitive data, common in sectors such as finance, healthcare, and government within Europe. The lack of available patches increases the urgency for organizations to implement compensating controls. Additionally, the vulnerability could facilitate insider threats or lateral movement if a malicious or compromised team member exploits it. Although no known exploits exist yet, the ease of exploitation and the sensitivity of the exposed information warrant proactive mitigation to prevent potential breaches.
Mitigation Recommendations
Given the absence of patches, European organizations should implement the following specific mitigations: 1) Restrict team membership strictly to trusted personnel and regularly audit team memberships to minimize exposure. 2) Monitor API access logs for unusual or excessive requests to the affected endpoints that could indicate exploitation attempts. 3) Implement additional verification steps for email change requests outside of relying solely on the email_change_code, such as multi-factor authentication or manual approval workflows. 4) Isolate Coolify instances within segmented network zones with strict access controls to limit lateral movement if an account is compromised. 5) Educate users about the risks of unauthorized email changes and encourage immediate reporting of suspicious account activity. 6) Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious API calls targeting the vulnerable endpoints. 7) Engage with the Coolify community or vendor to track the release of patches and plan prompt updates once available. 8) As a temporary measure, disable or limit API access to the affected endpoints if feasible without disrupting operations. These targeted actions go beyond generic advice and focus on reducing the attack surface and detecting exploitation attempts in the absence of an official fix.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Belgium, Italy, Spain
CVE-2025-59955: CWE-201: Insertion of Sensitive Information Into Sent Data in coollabsio coolify
Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints allows authenticated team members to access a highly sensitive `email_change_code` from other users on the same team. This code is intended for a single-use email change verification and should be kept secret. Its exposure could enable a malicious actor to perform an unauthorized email address change on behalf of the victim. As of time of publication, no known patched versions exist.
AI-Powered Analysis
Technical Analysis
CVE-2025-59955 is a medium severity information disclosure vulnerability affecting Coolify, an open-source, self-hostable platform for managing servers, applications, and databases. The flaw exists in versions up to and including 4.0.0-beta.428 and involves the exposure of a sensitive single-use email change verification code via the API endpoints /api/v1/teams/{team_id}/members and /api/v1/teams/current/members. Authenticated team members can retrieve the 'email_change_code' belonging to other users on the same team, which should remain confidential to prevent unauthorized email address changes. This code is critical because it verifies ownership during email change requests, and its disclosure could allow an attacker to hijack user accounts by changing their registered email addresses without consent. The vulnerability arises from improper handling and insertion of sensitive information into API responses, violating secure information disclosure principles (CWE-201). Exploitation requires the attacker to be authenticated as a team member but does not require elevated privileges or user interaction, making it relatively easy to exploit within compromised teams. No patches or fixes are currently available, and no known exploits have been observed in the wild. The CVSS 4.0 vector indicates network attack vector, low complexity, no privileges required beyond team membership, no user interaction, and a high impact on confidentiality, resulting in a score of 5.7. This vulnerability could facilitate unauthorized account access, potentially leading to further privilege escalation or lateral movement within an organization’s infrastructure managed by Coolify.
Potential Impact
For European organizations using Coolify, this vulnerability poses a significant risk to the confidentiality and integrity of user accounts within teams. Unauthorized access to the email change verification code can lead to unauthorized email changes, effectively enabling account takeover. This could result in loss of control over critical server and application management functions, data exposure, and potential disruption of services. Since Coolify manages servers, applications, and databases, compromised accounts could be leveraged to alter configurations, deploy malicious code, or exfiltrate sensitive data. The impact is heightened in environments where Coolify is used to manage critical infrastructure or sensitive data, common in sectors such as finance, healthcare, and government within Europe. The lack of available patches increases the urgency for organizations to implement compensating controls. Additionally, the vulnerability could facilitate insider threats or lateral movement if a malicious or compromised team member exploits it. Although no known exploits exist yet, the ease of exploitation and the sensitivity of the exposed information warrant proactive mitigation to prevent potential breaches.
Mitigation Recommendations
Given the absence of patches, European organizations should implement the following specific mitigations: 1) Restrict team membership strictly to trusted personnel and regularly audit team memberships to minimize exposure. 2) Monitor API access logs for unusual or excessive requests to the affected endpoints that could indicate exploitation attempts. 3) Implement additional verification steps for email change requests outside of relying solely on the email_change_code, such as multi-factor authentication or manual approval workflows. 4) Isolate Coolify instances within segmented network zones with strict access controls to limit lateral movement if an account is compromised. 5) Educate users about the risks of unauthorized email changes and encourage immediate reporting of suspicious account activity. 6) Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious API calls targeting the vulnerable endpoints. 7) Engage with the Coolify community or vendor to track the release of patches and plan prompt updates once available. 8) As a temporary measure, disable or limit API access to the affected endpoints if feasible without disrupting operations. These targeted actions go beyond generic advice and focus on reducing the attack surface and detecting exploitation attempts in the absence of an official fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-09-23T14:33:49.506Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 695bfa903839e441756fd45e
Added to database: 1/5/2026, 5:53:20 PM
Last enriched: 1/5/2026, 6:07:53 PM
Last updated: 1/8/2026, 2:12:33 PM
Views: 29
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-8307: CWE-257 Storing Passwords in a Recoverable Format in Asseco InfoMedica Plus
MediumCVE-2025-8306: CWE-1220 Insufficient Granularity of Access Control in Asseco InfoMedica Plus
MediumCVE-2025-14025: Incorrect Execution-Assigned Permissions in Red Hat Red Hat Ansible Automation Platform 2
HighCVE-2026-21891: CWE-287: Improper Authentication in IceWhaleTech ZimaOS
CriticalCVE-2026-21885: CWE-918: Server-Side Request Forgery (SSRF) in miniflux v2
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.