CVE-2025-59955

Name of the Vulnerable Software and Affected Versions Coolify versions prior to and including 4.0.0-beta.420.8

Description Coolify is a self-hostable tool for managing servers, applications, and databases. The /api/v1/teams/{team id}/members and /api/v1/teams/current/members API endpoints allow authenticated team members to access a sensitive email change code belonging to other users on the same team. This code is used for email change verification and its exposure could allow an attacker to perform an unauthorized email address change. The vulnerable parameters are team id and the user's information within the team membership data.

Recommendations Coolify versions prior to 4.0.0-beta.420.8 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.