Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

image.png

Hi everyone :smiley: I'm currently setting up email verification in Ory kratos (self hosted) but I'm running into an issue when calling updateVerificationFlow. It seems like when I put an email address for an already verified email address, the verification email gets sent again; more importanly, anyone is able to trigger this as it's a public endpoint. Wouldn't this be vulnerable to spam? User A could just craft their own update verification flow request, enter the email of User B and Ory Kratos would just send a verification email to User B even though his email might already be verified.

For the record, I have tried changing the email field to the email from a different identity (already verified email) and the verification email gets resent.