Changing your email to someone else's locks them out. Registration checked for duplicate addresses; the update endpoint didn't.I found this in a real cloud portal. Password reset doesn't recover the account; it silently logs the victim into the wrong one.https://go.edoardotosin.com/vdp-email-2026#BugBounty #WebSecurity #AppSec
E