CVE-2026-32700

Description

### Impact A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the `reconfirmable` option (the default when using Confirmable with email changes). By sending two concurrent email change requests, an attacker can desynchronize the `confirmation_token` and `unconfirmed_email` fields. The confirmation token is sent to an email the attacker controls, but the `unconfirmed_email` in the database points to a victim's email address. When the attacker uses the token, the victim's email is confirmed on the attacker's account. ### Patches This is patched in Devise **v5.0.3**. Users should upgrade as soon as possible. ### Workarounds Applications can override this specific method from Devise models to force `unconfirmed_email` to be persisted when unchanged: (assuming your model is `User`) ```ruby class User < ApplicationRecord protected def postpone_email_change_until_confirmation_and_regenerate_confirmation_token unconfirmed_email_will_change! super end end ``` Note: Mongoid does not seem to respect that `will_change!` should force the attribute to be persisted, even if it did not really change, so you might have to implement a workaround similar to Devise by setting `changed_attributes["unconfirmed_email"] = nil` as well.

Priority Score