CVE-2026-32700 is a concurrency-related race condition vulnerability identified in the Devise authentication solution for Ruby on Rails applications, maintained by heartcombo. The flaw resides in the Confirmable module when the reconfirmable option is enabled, which is the default behavior when users change their email addresses. The vulnerability arises because Devise does not properly synchronize access to shared resources during concurrent email change requests. An attacker can exploit this by initiating two simultaneous requests to change the email address. This leads to a state where the confirmation_token is sent to an attacker-controlled email, but the unconfirmed_email field in the database points to a victim's email address. When the attacker uses the confirmation token, the victim's email is confirmed on the attacker's account, effectively allowing the attacker to hijack or manipulate email confirmation processes. This can undermine account integrity and trust in the authentication system. The vulnerability requires low privileges (authenticated user), no user interaction, and network access but has a high impact on integrity. The issue is patched in Devise version 5.0.3. As a workaround, developers can override Devise model methods to force the unconfirmed_email attribute to persist even if unchanged, though Mongoid users may need additional adjustments due to its handling of attribute changes. There are no known exploits in the wild as of the publication date.

The primary impact of this vulnerability is on the integrity of user accounts within applications using vulnerable versions of Devise. An attacker can confirm an email address they do not own on their account, potentially enabling unauthorized account takeover or manipulation of user identity verification processes. This can lead to further attacks such as privilege escalation, fraudulent transactions, or bypassing multi-factor authentication mechanisms tied to email confirmation. Organizations relying on Devise for authentication in Rails applications, especially those handling sensitive user data or financial transactions, face risks of compromised user trust and potential regulatory consequences. The vulnerability does not directly impact confidentiality or availability but undermines the trustworthiness of the authentication system, which is critical for secure operations.

The definitive mitigation is to upgrade all Devise instances to version 5.0.3 or later, where the race condition is patched. For organizations unable to upgrade immediately, a practical workaround involves overriding the Devise model method responsible for persisting the unconfirmed_email attribute to ensure it is saved even if unchanged, preventing desynchronization. Mongoid users should implement additional workarounds, such as setting changed_attributes["unconfirmed_email"] = nil, to force attribute persistence due to Mongoid's behavior. Developers should audit their codebase for concurrent email change request handling and consider implementing application-level synchronization or queuing mechanisms to prevent race conditions. Additionally, monitoring for unusual email confirmation activities and enforcing strict logging can help detect exploitation attempts. Regularly reviewing and testing authentication workflows for concurrency issues is recommended to prevent similar vulnerabilities.