CVE-2026-32700: Devise has a confirmable "change email" race condition permits user to confirm email they have no access to
(updated )
A race condition in Devise’s Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option (the default when using Confirmable with email changes).
By sending two concurrent email change requests, an attacker can desynchronize the confirmation_token and unconfirmed_email fields. The confirmation token is sent to an email the attacker controls, but the unconfirmed_email in the database points to a victim’s email address. When the attacker uses the token, the victim’s email is confirmed on the attacker’s account.
References
- github.com/advisories/GHSA-57hq-95w6-v4fc
- github.com/heartcombo/devise
- github.com/heartcombo/devise/issues/5783
- github.com/heartcombo/devise/pull/5784
- github.com/heartcombo/devise/security/advisories/GHSA-57hq-95w6-v4fc
- github.com/rubysec/ruby-advisory-db/blob/master/gems/devise/GHSA-57hq-95w6-v4fc.yml
- nvd.nist.gov/vuln/detail/CVE-2026-32700
Code Behaviors & Features
Detect and mitigate CVE-2026-32700 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →