Fix race condition vulnerability, by ensuring the unconfirmed_email is always saved (#5784)

grantcox · carlosantoniodasilva · web-flow · commit 02527772bd9a · 2026-03-16T17:40:45.000-03:00
Fix security issue in the `Confirmable` "change email" flow, where a user can end up confirming an email address that they have no access to.  The flow for this is:

1. Attacker registers `attacker1@email.com`
2. Attacker changes their email to `attacker2@email.com`, but does not yet confirm this
3. Attacker submits two concurrent "change email" requests
  a. one changing to `attacker2@email.com`
  b. one changing to `victim@email.com`

When request 3.a is run, the `Confirmable.postpone_email_change_until_confirmation_and_regenerate_confirmation_token` method sets both the `unconfirmed_email` and `confirmation_token` properties.  But as the `unconfirmed_email` value is the same as the model already had from step 2, this attribute is not included in the SQL `UPDATE` statement.  The SQL `UPDATE` statement only updates the `confirmation_token`.  This token is emailed to the `attacker2@email.com` address.

If the "victim" race request (3.b) completes first, it will update both the `unconfirmed_email` and the `confirmation_token`.  But then request 3.a will replace just the token.  The model's end state is having the confirmation token that was sent to the attacker, but with the `unconfirmed_email` of the victim.

When the attacker follows the confirmation link, they will have confirmed the victim's email address, on an account that the attacker controls.

Co-authored-by: Carlos Antonio da Silva &lt;carlosantoniodasilva@gmail.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,8 @@
+### Unreleased
+
+* security fixes
+  * Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own [#5783](https://github.com/heartcombo/devise/pull/5783) [#5784](https://github.com/heartcombo/devise/pull/5784)
+
 ### 5.0.2 - 2026-02-18
 
 * enhancements
diff --git a/lib/devise/models/confirmable.rb b/lib/devise/models/confirmable.rb
@@ -258,9 +258,11 @@ def generate_confirmation_token!
           generate_confirmation_token && save(validate: false)
         end
 
-
         def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
           @reconfirmation_required = true
+          # Force unconfirmed_email to be updated, even if the value hasn't changed, to prevent a
+          # race condition which could allow an attacker to confirm an email they don't own. See #5783.
+          devise_unconfirmed_email_will_change!
           self.unconfirmed_email = self.email
           self.email = self.devise_email_in_database
           self.confirmation_token = nil
diff --git a/lib/devise/orm.rb b/lib/devise/orm.rb
@@ -35,6 +35,10 @@ def devise_will_save_change_to_email?
         will_save_change_to_email?
       end
 
+      def devise_unconfirmed_email_will_change!
+        unconfirmed_email_will_change!
+      end
+
       def devise_respond_to_and_will_save_change_to_attribute?(attribute)
         respond_to?("will_save_change_to_#{attribute}?") && send("will_save_change_to_#{attribute}?")
       end
@@ -61,6 +65,13 @@ def devise_will_save_change_to_email?
         email_changed?
       end
 
+      def devise_unconfirmed_email_will_change!
+        # Mongoid's will_change! doesn't force unchanged attributes into updates,
+        # so we override changed_attributes to make it see a difference.
+        unconfirmed_email_will_change!
+        changed_attributes["unconfirmed_email"] = nil
+      end
+
       def devise_respond_to_and_will_save_change_to_attribute?(attribute)
         respond_to?("#{attribute}_changed?") && send("#{attribute}_changed?")
       end
diff --git a/test/integration/confirmable_test.rb b/test/integration/confirmable_test.rb
@@ -354,4 +354,32 @@ def visit_admin_confirmation_with_token(confirmation_token)
     assert_contain(/Email.*already.*taken/)
     assert admin.reload.pending_reconfirmation?
   end
+
+  test 'concurrent "update email" requests should not allow confirming a victim email address' do
+    attacker_email = "attacker@example.com"
+    victim_email = "victim@example.com"
+
+    attacker = create_admin
+    # update the email address of the attacker, but do not confirm it yet
+    attacker.update!(email: attacker_email)
+
+    # A new request starts, to update the unconfirmed email again.
+    attacker = Admin.find_by(id: attacker.id)
+
+    # A concurrent request also updates the email address to the victim, while the `attacker` request's model is in memory
+    Admin.where(id: attacker.id).update_all(
+      unconfirmed_email: victim_email,
+      confirmation_token: "different token"
+    )
+
+    # Now the attacker updates to the same prior unconfirmed email address, and confirm.
+    # This should update the `unconfirmed_email` in the database, even though it is unchanged from the models point of view.
+    attacker.update!(email: attacker_email)
+    attacker_token = attacker.raw_confirmation_token
+    visit_admin_confirmation_with_token(attacker_token)
+
+    attacker.reload
+    assert attacker.confirmed?
+    assert_equal attacker_email, attacker.email
+  end
 end
