CVE-2026-32700

MEDIUM5.3EPSS 0.02%

Devise has a confirmable "change email" race condition permits user to confirm email they have no access to

發布日:2026/3/17修改日:2026/3/30
也稱為:GHSA-57hq-95w6-v4fc

描述

### Impact A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the `reconfirmable` option (the default when using Confirmable with email changes). By sending two concurrent email change requests, an attacker can desynchronize the `confirmation_token` and `unconfirmed_email` fields. The confirmation token is sent to an email the attacker controls, but the `unconfirmed_email` in the database points to a victim's email address. When the attacker uses the token, the victim's email is confirmed on the attacker's account. ### Patches This is patched in Devise **v5.0.3**. Users should upgrade as soon as possible. ### Workarounds Applications can override this specific method from Devise models to force `unconfirmed_email` to be persisted when unchanged: (assuming your model is `User`) ```ruby class User < ApplicationRecord protected def postpone_email_change_until_confirmation_and_regenerate_confirmation_token unconfirmed_email_will_change! super end end ``` Note: Mongoid does not seem to respect that `will_change!` should force the attribute to be persisted, even if it did not really change, so you might have to implement a workaround similar to Devise by setting `changed_attributes["unconfirmed_email"] = nil` as well.

受影響套件(2)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
osvCVSS 3.1MEDIUM5.3CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

參考連結(8)