CVE-2025-59955
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the /api/v1/teams/{team_id}/members and /api/v1/teams/current/members API endpoints allows authenticated team members to access a highly sensitive email_change_code from other users on the same team. This code is intended for a single-use email change verification and should be kept secret. Its exposure could enable a malicious actor to perform an unauthorized email address change on behalf of the victim. As of time of publication, no known patched versions exist.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| coollabsio | coolify | <= 4.0.0-beta.428 | affected |
Weaknesses
- CWE-201: CWE-201: Insertion of Sensitive Information Into Sent Data
- CWE-212: CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer
- CWE-214: CWE-214: Invocation of Process Using Visible Sensitive Information
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.