CVE-2025-59955 – Coolify versions up to v4.0.0-beta.420.8 have a... (How to Fix)

Q: What is the severity of CVE-2025-59955?

CVE-2025-59955 has a CVSS score of 5.7 (MEDIUM). Coolify versions up to v4.0.0-beta.420.8 have an API vulnerability that allows authenticated team members to access other users' email change verification codes. This could enable unauthorized email address changes for victims within the same team. All Coolify instances running vulnerable versions are affected.

📋 TL;DR

Coolify versions up to v4.0.0-beta.420.8 have an API vulnerability that allows authenticated team members to access other users' email change verification codes. This could enable unauthorized email address changes for victims within the same team. All Coolify instances running vulnerable versions are affected.

💻 Affected Systems

Products:

Coolify

Versions: All versions prior to and including v4.0.0-beta.420.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to team API endpoints. Self-hosted instances only.

📦 What is this software?

Coolify by Coollabs

View all CVEs affecting Coolify →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious team member changes victim's email address, takes over account, and gains administrative access to the Coolify instance and managed infrastructure.

🟠

Likely Case

Team member performs unauthorized email change on colleague's account, causing service disruption and potential data access.

🟢

If Mitigated

Limited to internal team disputes with no external impact if proper access controls and monitoring are in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid team member credentials and API access. Simple HTTP requests to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None available

Vendor Advisory: https://github.com/coollabsio/coolify/security/advisories/GHSA-927g-56xp-6427

Restart Required: No

Instructions:

No official patch available. Monitor GitHub repository for updates and apply immediately when released.

🔧 Temporary Workarounds

API Endpoint Restriction

linux

Restrict access to vulnerable API endpoints using web server or application firewall rules.

# Example nginx location block to deny access
location ~ ^/api/v1/teams/(.*)/members$ {
    deny all;
    return 403;
}

Team Member Audit

all

Review and restrict team membership to trusted users only.

🧯 If You Can't Patch

Implement strict access controls and monitor API access logs for suspicious patterns.
Disable email change functionality temporarily if not critical for operations.

🔍 How to Verify

Check if Vulnerable:

Check Coolify version via web interface or configuration files. If version is v4.0.0-beta.420.8 or earlier, system is vulnerable.

Check Version:

Check Coolify web interface dashboard or inspect docker container tags if containerized.

Verify Fix Applied:

When patch is available, verify version is newer than v4.0.0-beta.420.8 and test API endpoints no longer return email_change_code in responses.

📡 Detection & Monitoring

Log Indicators:

Unusual API calls to /api/v1/teams/*/members endpoints
Multiple failed email change attempts
Email change requests from unexpected IPs

Network Indicators:

HTTP GET requests to vulnerable endpoints returning sensitive data

SIEM Query:

source="coolify" AND (uri_path="/api/v1/teams/*/members" OR message="email_change_code")

📊 Metadata

CVE ID: CVE-2025-59955

CVSS v3 Score: 5.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-201

EPSS Score: 0.04% exploit probability (11.1th percentile)

Published: January 5, 2026

Last Updated: January 12, 2026

🔗 References

https://github.com/coollabsio/coolify/security/advisories/GHSA-927g-56xp-6427 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59955, you might also want to check these: