CVE-2026-32700 is a concurrency-related vulnerability classified under CWE-362 (Race Condition) in the Devise authentication framework, widely used in Ruby on Rails applications. The flaw exists in the Confirmable module when the reconfirmable option is enabled (default behavior for email changes). The vulnerability occurs because Devise does not properly synchronize access to shared resources when processing concurrent email change requests. Specifically, when two email change requests are submitted simultaneously, the confirmation_token sent to the attacker-controlled email address becomes desynchronized from the unconfirmed_email field in the database, which still points to the victim's email. Consequently, when the attacker uses the confirmation token, the victim's email is confirmed on the attacker's account, effectively allowing the attacker to hijack or impersonate the victim's email identity within the application. This can undermine authentication and authorization mechanisms relying on confirmed email addresses. The vulnerability requires low privileges (the attacker must have an account) but has a high attack complexity due to the need to trigger concurrent requests precisely. No user interaction is required beyond the attacker's own actions. The issue is resolved in Devise version 5.0.3 by fixing the synchronization logic. As a mitigation, applications can override Devise model methods to force persistence of the unconfirmed_email attribute even if unchanged, though Mongoid users may need additional workarounds due to its handling of attribute changes. No public exploits have been reported yet, but the vulnerability poses a significant risk to any Rails application using vulnerable Devise versions with reconfirmable enabled.

The primary impact of this vulnerability is the potential for attackers to confirm email addresses they do not own on their accounts, enabling account impersonation or takeover scenarios. This undermines the integrity of the authentication system, as confirmed email addresses are often used as a trust anchor for identity verification, password resets, and communication. Organizations relying on Devise with the Confirmable module and reconfirmable option enabled may face risks including unauthorized access, privilege escalation, and loss of user trust. The vulnerability could facilitate phishing, fraud, or lateral movement within affected applications. Since Devise is a popular authentication solution in the Ruby on Rails ecosystem, many web applications, including enterprise, e-commerce, and SaaS platforms, could be impacted globally. The medium CVSS score reflects the moderate ease of exploitation combined with significant impact on integrity. Although no known exploits are currently reported, the vulnerability should be treated seriously due to the sensitive nature of authentication systems.

The most effective mitigation is to upgrade all affected Devise instances to version 5.0.3 or later, where the race condition is fixed. Until upgrades can be performed, developers should implement the recommended workaround by overriding the relevant Devise model method to force the unconfirmed_email attribute to be persisted even if it has not changed, preventing desynchronization. For applications using Mongoid, additional custom code may be required to manipulate changed_attributes to ensure proper persistence, as Mongoid does not fully respect the will_change! method. Application owners should also review their email confirmation workflows and consider adding additional logging and monitoring for suspicious concurrent email change requests. Rate limiting or throttling email change requests may reduce the likelihood of successful exploitation. Finally, developers should audit their authentication-related code for other potential concurrency issues and ensure robust synchronization mechanisms are in place.