Description
Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the `reconfirmable` option (the default when using Confirmable with email changes). By sending two concurrent email change requests, an attacker can desynchronize the `confirmation_token` and `unconfirmed_email` fields. The confirmation token is sent to an email the attacker controls, but the `unconfirmed_email` in the database points to a victim's email address. When the attacker uses the token, the victim's email is confirmed on the attacker's account. This is patched in Devise v5.0.3. Users should upgrade as soon as possible. As a workaround, applications can override a specific method from Devise models to force `unconfirmed_email` to be persisted when unchanged. Note that Mongoid does not seem to respect that `will_change!` should force the attribute to be persisted, even if it did not really change, so the user might have to implement a workaround similar to Devise by setting `changed_attributes["unconfirmed_email"] = nil` as well.
Published: 2026-03-18
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized email confirmation leading to potential account takeover
Action: Immediate Patch
AI Analysis

Impact

A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. By sending two concurrent email change requests, the attacker can desynchronize the confirmation_token and unconfirmed_email fields. The confirmation token is delivered to the attacker's mailbox while the unconfirmed_email in the database points to a victim’s address. When the attacker uses the token, the victim’s email is confirmed on the attacker’s account, enabling unauthorized account use.

Affected Systems

All Ruby on Rails applications using the Devise authentication framework before version 5.0.3 with the Confirmable module enabled and the default reconfirmable option. The affected package is the heartcombo:devise library shipped as a Ruby Gem.

Risk and Exploitability

The vulnerability has a CVSS score of 6 and an EPSS score below 1 %, indicating moderate severity but low probability of exploitation. It is not listed in CISA’s KEV catalog. The attack requires creating two simultaneous email change requests, typically from distinct accounts or timing the requests closely; therefore, the most likely attack surface is the web interface that allows users to change their email. Successful exploitation results in the attacker confirming an email they control on an account that belongs to a victim, potentially enabling further intrusion.

Generated by OpenCVE AI on March 26, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Devise gem to version 5.0.3 or later.
  • Run bundle install and restart the application.
  • If an upgrade is not immediately possible, override the relevant method in your user model to force persistence of unchanged unconfirmed_email attributes.
  • For Mongoid users, additionally set changed_attributes["unconfirmed_email"] = nil to ensure the field is saved.
  • Verify that the changes prevent the race condition by testing concurrent email change requests.

Generated by OpenCVE AI on March 26, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-57hq-95w6-v4fc Devise has a confirmable "change email" race condition permits user to confirm email they have no access to
History

Thu, 26 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:heartcombo:devise:*:*:*:*:*:ruby:*:*
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Fri, 20 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Moderate

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Heartcombo
Heartcombo devise
Vendors & Products Heartcombo
Heartcombo devise

Wed, 18 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the `reconfirmable` option (the default when using Confirmable with email changes). By sending two concurrent email change requests, an attacker can desynchronize the `confirmation_token` and `unconfirmed_email` fields. The confirmation token is sent to an email the attacker controls, but the `unconfirmed_email` in the database points to a victim's email address. When the attacker uses the token, the victim's email is confirmed on the attacker's account. This is patched in Devise v5.0.3. Users should upgrade as soon as possible. As a workaround, applications can override a specific method from Devise models to force `unconfirmed_email` to be persisted when unchanged. Note that Mongoid does not seem to respect that `will_change!` should force the attribute to be persisted, even if it did not really change, so the user might have to implement a workaround similar to Devise by setting `changed_attributes["unconfirmed_email"] = nil` as well.
Title Devise has a confirmable "change email" race condition that permits user to confirm email they have no access to
Weaknesses CWE-362
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Heartcombo Devise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:11:56.909Z

Reserved: 2026-03-13T14:33:42.823Z

Link: CVE-2026-32700

cve-icon Vulnrichment

Updated: 2026-03-20T17:14:02.915Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T21:16:26.943

Modified: 2026-03-26T14:47:09.370

Link: CVE-2026-32700

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T20:55:55Z

Links: CVE-2026-32700 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T08:41:50Z

Weaknesses