A bug in our validation logic made it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server.
We have resolved this in the latest version of NodeBB, and the fix has already been rolled out as a patch on all of our hosted customers.
For more information on the vulnerability as well as instructions on how to resolve this issue, please have a look here: https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7
If you are unable to upgrade ASAP, you can also apply the patch via cherry-picking this commit.
As this release contains a critical security fix, we highly recommend upgrading at your earliest convenience. If you are running your own server and encounter any issues upgrading, please post them in the community support forum.