What the vulnerability does
01Description
A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.
CVSS base score
5.4/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Key dates
02Disclosure timeline
February 13, 2024
CVE published
February 15, 2025
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2026-35555 Subnet Solutions PowerSYSTEM Center Incorrect Authorization
CVE-2025-54554
CVE-2024-34346 Deno contains a permission escalation via open of privileged files with missing `--deny` flag
CVE-2026-32051 OpenClaw < 2026.3.1 - Authorization Bypass in Agent Runs via Owner-Only Tool Access
CVE-2026-30241 Mercurius: queryDepth limit bypassed for WebSocket subscriptions
