Before gerrit 94406 it was possible to confirm a email code without the need of login to (any) user account. This was changed and produced bug 60433.
In my opinion the old behaviour should be restored.
If not, the logged in user should be checked against the user which gets confirmed, because that can differ at the moment.
Version: 1.23.0
Severity: normal