GHSA-rv89-wch8-c574MediumCVSS 4.3

Paymenter doesn't reset email verification status after email change

Published
June 22, 2026
Last Modified
June 22, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

The email update functionality fails to invalidate the existing verification state when a user changes their email address, allowing a verified account to retain its verified status after switching to an unverified or unowned email address.

Technical Details

When a user updated their email address, the system did not reset or revalidate the associated email verification status. As a result, the verification column remained set to “true” even after the email address was changed.

This allowed an attacker to:

  • Verify an account using a legitimate email address
  • Change the account email to an arbitrary or unowned address
  • Retain the verified status without re-confirmation of the new email

No verification challenge or confirmation was required for the newly assigned email address.

Impact

This vulnerability allows a user to associate a verified account with an email address they do not control, this may result in:

  • Misrepresentation of email ownership
  • Bypass of verification-based trust assumptions
  • Potential abuse of features gated behind verified status

No direct unauthorized access to other users accounts or data is possible through this issue alone.

🎯 Affected products1

  • composer/paymenter/paymenter:< 1.5.0

🔗 References (2)