CVE-2026-32700
published 2026-03-18CVE-2026-32700: Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to…
PriorityP433medium5.3CVSS 3.1
AVNACHPRLUINSUCNIHAN
EPSS
0.27%
19.2th percentile
Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the `reconfirmable` option (the default when using Confirmable with email changes). By sending two concurrent email change requests, an attacker can desynchronize the `confirmation_token` and `unconfirmed_email` fields. The confirmation token is sent to an email the attacker controls, but the `unconfirmed_email` in the database points to a victim's email address. When the attacker uses the token, the victim's email is confirmed on the attacker's account. This is patched in Devise v5.0.3. Users should upgrade as soon as possible. As a workaround, applications can override a specific method from Devise models to force `unconfirmed_email` to be persisted when unchanged. Note that Mongoid does not seem to respect that `will_change!` should force the attribute to be persisted, even if it did not really change, so the user might have to implement a workaround similar to Devise by setting `changed_attributes["unconfirmed_email"] = nil` as well.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-devise | — | — |
| heartcombo | devise | < 5.0.3 | 5.0.3 |
| plataformatec | devise | >= 0 < 5.0.3 | 5.0.3 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv4.06.0MEDIUMCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.0MEDIUM
vendor_debian6.0MEDIUM
vendor_redhat6.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-32700: Devise is an authentication solution for Rails based on Warden
osv·2026-03-18·CVSS 6.0
CVE-2026-32700 [MEDIUM] CVE-2026-32700: Devise is an authentication solution for Rails based on Warden
Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the `reconfirmable` option (the default when using Confirmable with email changes). By sending two concurrent email change requests, an attacker can desynchronize the `confirmation_token` and `unconfirmed_email` fields. The confirmation token is sent to an email the attacker controls, but the `unconfirmed_email` in the database points to a victim's email address. When the attacker uses the token, the victim's email is confirmed on the attacker's account. This is patched in Devise v5.0.3. Users should upgrade as soon as possible. As a workaround, applic
OSV
Devise has a confirmable "change email" race condition permits user to confirm email they have no access to
osv·2026-03-17
CVE-2026-32700 [MEDIUM] Devise has a confirmable "change email" race condition permits user to confirm email they have no access to
Devise has a confirmable "change email" race condition permits user to confirm email they have no access to
### Impact
A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the `reconfirmable` option (the default when using Confirmable with email changes).
By sending two concurrent email change requests, an attacker can desynchronize the `confirmation_token` and `unconfirmed_email` fields. The confirmation token is sent to an email the attacker controls, but the `unconfirmed_email` in the database points to a victim's email address. When the attacker uses the token, the victim's email is confirmed on the attacker's account.
### Patches
This is patched in Devise **v5.0.3**. Users should
GHSA
Devise has a confirmable "change email" race condition permits user to confirm email they have no access to
ghsa·2026-03-17
CVE-2026-32700 [MEDIUM] CWE-362 Devise has a confirmable "change email" race condition permits user to confirm email they have no access to
Devise has a confirmable "change email" race condition permits user to confirm email they have no access to
### Impact
A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the `reconfirmable` option (the default when using Confirmable with email changes).
By sending two concurrent email change requests, an attacker can desynchronize the `confirmation_token` and `unconfirmed_email` fields. The confirmation token is sent to an email the attacker controls, but the `unconfirmed_email` in the database points to a victim's email address. When the attacker uses the token, the victim's email is confirmed on the attacker's account.
### Patches
This is patched in Devise **v5.0.3**. Users should
Red Hat
devise: Devise: Unauthorized email confirmation due to a race condition
vendor_redhat·2026-03-18·CVSS 6.0
CVE-2026-32700 [MEDIUM] CWE-367 devise: Devise: Unauthorized email confirmation due to a race condition
devise: Devise: Unauthorized email confirmation due to a race condition
Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the `reconfirmable` option (the default when using Confirmable with email changes). By sending two concurrent email change requests, an attacker can desynchronize the `confirmation_token` and `unconfirmed_email` fields. The confirmation token is sent to an email the attacker controls, but the `unconfirmed_email` in the database points to a victim's email address. When the attacker uses the token, the victim's email is confirmed on the attacker's account. This is patched in Devise
Debian
CVE-2026-32700: ruby-devise - Devise is an authentication solution for Rails based on Warden. Prior to version...
vendor_debian·2026·CVSS 6.0
CVE-2026-32700 [MEDIUM] CVE-2026-32700: ruby-devise - Devise is an authentication solution for Rails based on Warden. Prior to version...
Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the `reconfirmable` option (the default when using Confirmable with email changes). By sending two concurrent email change requests, an attacker can desynchronize the `confirmation_token` and `unconfirmed_email` fields. The confirmation token is sent to an email the attacker controls, but the `unconfirmed_email` in the database points to a victim's email address. When the attacker uses the token, the victim's email is confirmed on the attacker's account. This is patched in Devise v5.0.3. Users should upgrade as soon as possible. As a workaround, applic
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-32700 awatcher: Devise: Unauthorized email confirmation due to a race condition [fedora-42]
bugzilla·2026-03-19·CVSS 6.0
CVE-2026-32700 [MEDIUM] CVE-2026-32700 awatcher: Devise: Unauthorized email confirmation due to a race condition [fedora-42]
CVE-2026-32700 awatcher: Devise: Unauthorized email confirmation due to a race condition [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained versi
Bugzilla
CVE-2026-32700 vaultwarden: Devise: Unauthorized email confirmation due to a race condition [fedora-42]
bugzilla·2026-03-19·CVSS 6.0
CVE-2026-32700 [MEDIUM] CVE-2026-32700 vaultwarden: Devise: Unauthorized email confirmation due to a race condition [fedora-42]
CVE-2026-32700 vaultwarden: Devise: Unauthorized email confirmation due to a race condition [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained ve
Bugzilla
CVE-2026-32700 aw-server-rust: Devise: Unauthorized email confirmation due to a race condition [fedora-42]
bugzilla·2026-03-19·CVSS 6.0
CVE-2026-32700 [MEDIUM] CVE-2026-32700 aw-server-rust: Devise: Unauthorized email confirmation due to a race condition [fedora-42]
CVE-2026-32700 aw-server-rust: Devise: Unauthorized email confirmation due to a race condition [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained
Wiz
CVE-2026-32700 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-32700 [MEDIUM] CVE-2026-32700 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32700 :
Ruby vulnerability analysis and mitigation
reconfirmable
confirmation_token
unconfirmed_email
unconfirmed_email
unconfirmed_email
will_change!
changed_attributes["unconfirmed_email"] = nil
Source : NVD
## 6
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.0
Affected Technologies
Ruby
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ruby-devise
devise
Sources
NVD
Debian 11 No Fix Added at: Mar 20, 2026
Echo Severity MEDIUM No Fix Added at: Mar 20, 2026
RubyGems Severity MEDIUM Has Fix Added at: Mar 17, 2026
RubyGems Has Fix Added at: Mar 24, 2026
## Get a
https://github.com/heartcombo/devise/issues/5783https://github.com/heartcombo/devise/pull/5784https://github.com/heartcombo/devise/security/advisories/GHSA-57hq-95w6-v4fchttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise/GHSA-57hq-95w6-v4fc.ymlhttps://github.com/heartcombo/devise/issues/5783
2026-03-18
Published