Platform
ruby
Component
devise
Opgelost in
5.0.4
5.0.3
CVE-2026-32700 describes a race condition vulnerability within the Devise Confirmable module, a popular authentication solution for Ruby on Rails applications. This flaw allows an attacker to potentially hijack user accounts by confirming email addresses they do not own. The vulnerability impacts applications using the reconfirmable option, which is the default configuration when using Confirmable with email changes, and affects versions of Devise up to 5.0.2. A fix is available in version 5.0.3.
The core of the vulnerability lies in a desynchronization issue between the confirmationtoken and unconfirmedemail fields within the Devise database. An attacker can exploit this by sending two concurrent email change requests. The first request triggers the generation and sending of a confirmation token to an email address controlled by the attacker. Simultaneously, the second request updates the unconfirmed_email field in the database to point to a victim's email address. When the attacker subsequently uses the confirmation token, the system incorrectly confirms the victim's email address, effectively granting the attacker control over the victim's account. This could lead to unauthorized access to sensitive data, modification of user profiles, and potentially further compromise of the application.
This vulnerability was publicly disclosed on March 17, 2026. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability has not been added to the CISA KEV catalog at the time of this writing. The CVSS score of 5.3 (Medium) reflects the potential impact and relatively low exploitability.
Applications built with Ruby on Rails that utilize the Devise authentication gem and specifically enable the reconfirmable option in the Confirmable module are at risk. This includes applications that allow users to change their email addresses and rely on email confirmation for verification. Shared hosting environments where multiple applications share the same database may also be vulnerable if one application is running an older, vulnerable version of Devise.
• ruby / rails:
# Check Devise version
require 'devise'
presence = Devise.presence
puts "Devise version: #{Devise.version}" if presence• generic web:
grep -r 'Devise.confirmable?' app/models/**/*.rb• generic web:
curl -I https://your-rails-app.com/confirmations/new | grep -i devisedisclosure
Exploit Status
EPSS
0.02% (5% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-32700 is to upgrade to Devise version 5.0.3 or later, which contains the fix for the race condition. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing a temporary workaround by adding a unique constraint on the unconfirmed_email field in the database. This will prevent concurrent updates to the same email address, mitigating the race condition. Additionally, monitor application logs for suspicious activity, such as multiple email confirmation requests originating from the same IP address within a short timeframe. After upgrading, confirm the fix by attempting to trigger the race condition manually and verifying that the email confirmation process behaves as expected.
Actualice la gema Devise a la versión 5.0.3 o superior. Esto corrige la condición de carrera en el módulo Confirmable. Si no puede actualizar inmediatamente, puede implementar la solución alternativa descrita en el advisory, que implica sobreescribir un método específico en los modelos Devise para forzar la persistencia de `unconfirmed_email` cuando no se modifica.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-32700 is a race condition vulnerability in Devise versions up to 5.0.2. It allows attackers to confirm email addresses they don't own, potentially hijacking user accounts.
You are affected if your Ruby on Rails application uses Devise version 5.0.2 or earlier and has the reconfirmable option enabled in the Confirmable module.
Upgrade to Devise version 5.0.3 or later to resolve the race condition. As a temporary workaround, add a unique constraint on the unconfirmed_email database field.
There is currently no evidence of active exploitation campaigns targeting CVE-2026-32700.
Refer to the Devise project's security advisories and release notes for details: https://github.com/heartcombo/devise/security
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je Gemfile.lock-bestand en we vertellen je direct of je getroffen bent.