CVE-2026-32700 in devise
Summary
by MITRE • 03/18/2026
Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the `reconfirmable` option (the default when using Confirmable with email changes). By sending two concurrent email change requests, an attacker can desynchronize the `confirmation_token` and `unconfirmed_email` fields. The confirmation token is sent to an email the attacker controls, but the `unconfirmed_email` in the database points to a victim's email address. When the attacker uses the token, the victim's email is confirmed on the attacker's account. This is patched in Devise v5.0.3. Users should upgrade as soon as possible. As a workaround, applications can override a specific method from Devise models to force `unconfirmed_email` to be persisted when unchanged. Note that Mongoid does not seem to respect that `will_change!` should force the attribute to be persisted, even if it did not really change, so the user might have to implement a workaround similar to Devise by setting `changed_attributes["unconfirmed_email"] = nil` as well.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability described in CVE-2026-32700 represents a critical race condition flaw within the Devise authentication solution for Ruby on Rails applications. This issue specifically impacts the Confirmable module functionality, which handles email confirmation processes in Devise-based systems. The vulnerability stems from improper synchronization mechanisms when processing concurrent email change requests, creating a window where malicious actors can exploit temporal inconsistencies in the confirmation workflow. The flaw affects applications that utilize the reconfirmable option, which is enabled by default when implementing Confirmable with email modifications, making it a widespread concern across Devise installations.
The technical implementation of this vulnerability exploits a fundamental race condition between database state updates and token validation processes. When an application processes two concurrent email change requests, the system fails to properly synchronize the confirmation_token field with the unconfirmed_email field in the database. This desynchronization occurs because the confirmation token is sent to an attacker-controlled email address while the database record still contains the victim's original email address in the unconfirmed_email field. The attacker can then use the confirmation token to validate their own account, effectively confirming the victim's email address on the attacker's account. This represents a classic race condition pattern where the timing of concurrent operations creates an exploitable inconsistency in the application's state management.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables attackers to potentially hijack user accounts through email address takeover. The security implications are particularly severe because email addresses often serve as primary identifiers for user accounts, and successful exploitation can lead to complete account compromise. Attackers can leverage this vulnerability to confirm stolen email addresses, gain unauthorized access to victim accounts, and potentially escalate privileges within the application. The vulnerability affects any Rails application using Devise's Confirmable module with reconfirmable enabled, which represents a significant portion of applications using this popular authentication framework. This makes the vulnerability particularly dangerous as it can be exploited across numerous web applications without requiring specialized knowledge of the specific application architecture.
The mitigation strategy for CVE-2026-32700 requires immediate application upgrades to Devise version 5.0.3 or later, which addresses the underlying race condition through improved synchronization mechanisms. Organizations should prioritize this upgrade as a critical security measure, particularly for applications handling sensitive user data or those with high-value accounts. The workaround suggested in the advisory involves overriding specific methods within Devise models to force persistence of the unconfirmed_email field, which requires careful implementation to ensure proper database state management. However, the workaround presents additional complexity for applications using Mongoid as the database adapter, as this object-relational mapping tool does not properly respect the will_change! method behavior, requiring developers to implement additional measures such as explicitly setting changed_attributes["unconfirmed_email"] = nil to ensure proper attribute persistence. This vulnerability aligns with CWE-362, which catalogs race conditions in software systems, and represents a clear example of how concurrent operation handling can create security weaknesses in authentication systems. The ATT&CK framework categorizes this vulnerability under privilege escalation and credential access techniques, as it enables attackers to gain unauthorized access to user accounts through manipulation of authentication tokens and email confirmation processes. Organizations should implement comprehensive monitoring to detect unusual email confirmation patterns and consider additional authentication measures to protect against this class of attack.