CVE-2026-32700

Name of the Vulnerable Software and Affected Versions Devise versions prior to 5.0.3

Description Devise, an authentication solution for Rails based on Warden, contains a flaw in its Confirmable module. A race condition can occur when the reconfirmable option is enabled, allowing an attacker to confirm an email address they do not own. This happens by desynchronizing the confirmation token and unconfirmed email fields through concurrent email change requests. The confirmation token is sent to an attacker-controlled email, while the unconfirmed email in the database points to a victim's email address. Using the token then confirms the victim's email on the attacker's account. The vulnerable component is the Confirmable module. The vulnerable method is postpone email change until confirmation and regenerate confirmation token().

Recommendations Versions prior to 5.0.3 should be upgraded to version 5.0.3 or later. As a workaround, applications can override the postpone email change until confirmation and regenerate confirmation token method from Devise models to force unconfirmed email to be persisted when unchanged. For applications using Mongoid, implement a workaround similar to Devise by setting changed attributes["unconfirmed email"] = nil to ensure the attribute is persisted.