VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 18, 2026· Updated Mar 20, 2026

Devise has a confirmable "change email" race condition that permits user to confirm email they have no access to

CVE-2026-32700

Description

Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option (the default when using Confirmable with email changes). By sending two concurrent email change requests, an attacker can desynchronize the confirmation_token and unconfirmed_email fields. The confirmation token is sent to an email the attacker controls, but the unconfirmed_email in the database points to a victim's email address. When the attacker uses the token, the victim's email is confirmed on the attacker's account. This is patched in Devise v5.0.3. Users should upgrade as soon as possible. As a workaround, applications can override a specific method from Devise models to force unconfirmed_email to be persisted when unchanged. Note that Mongoid does not seem to respect that will_change! should force the attribute to be persisted, even if it did not really change, so the user might have to implement a workaround similar to Devise by setting changed_attributes["unconfirmed_email"] = nil as well.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in Devise's Confirmable module allows an attacker to confirm a victim's email address on their own account by sending concurrent email change requests.

CVE-2026-32700 is a race condition in the Devise authentication library's Confirmable module, specifically affecting the reconfirmable option used for email changes. The vulnerability allows an attacker to confirm an email address they do not control, enabling them to link a victim's email to their own account [2].

To exploit this, an attacker sends two concurrent HTTP requests to change the email on their account: one to an attacker-controlled address and another to the victim's address. Due to a race condition, the confirmation_token is sent to the attacker's email while the unconfirmed_email field in the database is set to the victim's address. The attacker can then use the token to confirm the victim's email on the attacker's account [3].

The impact is that the attacker gains the ability to associate a victim's email with their own account, potentially leading to account takeover or other security breaches if the email is used for password resets or notifications [2]. The vulnerability affects all Devise applications using the default reconfirmable setting with the Confirmable module.

Devise v5.0.3 patches this issue by ensuring that unconfirmed_email is forcefully persisted even when unchanged. Users should upgrade immediately. As a workaround, applications can override methods to force the attribute to be updated in the database, though Mongoid ORM may require additional steps [2][1].

References
  1. GitHub - heartcombo/devise: Flexible authentication solution for Rails with Warden.
  2. NVD - CVE-2026-32700
  3. `Confirmable` "change email" vulnerability - race condition permits user to confirm email address they have no access to

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
deviseRubyGems
< 5.0.35.0.3

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

3