Race Condition Vulnerability in Devise Authentication for Rails by Heartcombo
CVE-2026-32700

6MEDIUM

Key Information:

Vendor: Heartcombo
Status: Devise
Vendor: CVE Published:; 18 March 2026

What is CVE-2026-32700?

Devise, an authentication solution for Rails applications, contains a race condition in its Confirmable module that allows an attacker to confirm an email address they do not control. This vulnerability affects applications using the reconfirmable option, which is the default for email changes. By sending simultaneous requests to change an email address, an attacker can exploit the desynchronization of confirmation_token and unconfirmed_email fields, leading to unauthorized email confirmation. This issue is resolved in Devise version 5.0.3, and users are strongly advised to upgrade promptly. Additionally, implementing a workaround on specific Devise models can help mitigate risks while a full upgrade is underway.