When a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user.

This could result in storing an invalid email address, preventing the user from receiving system notifications.

Notifications sent to another person's email address could lead to information disclosure.

Fixed in 2.27.2.

None

Thanks to @ncrcs for discovering and reporting the issue.