Skip to main content

Red Hat CVE-2026-32700

MEDIUM
Race Condition (CWE-362)
2026-03-17 https://github.com/heartcombo/devise GHSA-57hq-95w6-v4fc
Information Disclosure Race Condition Red Hat Suse
6.0
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
Patch released
Mar 17, 2026 - 20:30 nvd
Patch available
CVE Published
Mar 17, 2026 - 17:24 nvd
MEDIUM 6.0

DescriptionNVD

Impact

A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option (the default when using Confirmable with email changes).

By sending two concurrent email change requests, an attacker can desynchronize the confirmation_token and unconfirmed_email fields. The confirmation token is sent to an email the attacker controls, but the unconfirmed_email in the database points to a victim's email address. When the attacker uses the token, the victim's email is confirmed on the attacker's account.

Patches

This is patched in Devise v5.0.3. Users should upgrade as soon as possible.

Workarounds

Applications can override this specific method from Devise models to force unconfirmed_email to be persisted when unchanged: (assuming your model is User)

ruby
class User < ApplicationRecord
  protected

  def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
    unconfirmed_email_will_change!
    super
  end
end

Note: Mongoid does not seem to respect that will_change! should force the attribute to be persisted, even if it did not really change, so you might have to implement a workaround similar to Devise by setting changed_attributes["unconfirmed_email"] = nil as well.

AnalysisAI

Devise's Confirmable module with the reconfirmable option enabled contains a race condition that allows attackers to confirm email addresses they don't control by sending concurrent email change requests. By exploiting the desynchronization between the confirmation token and unconfirmed email fields, an attacker can redirect a victim's email confirmation to their own account. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-9277 HIGH
8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Share

CVE-2026-32700 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy