Auth0 Change Password Unexpected behaviour

Hey Auth0 Community,

I came across a potential bug in the password reset feature of Auth0 that I believe needs attention. When I entered an incorrect email address, the system still returns a success message, stating “We’ve just sent you an email to reset your password.%”. This behavior seems incorrect as it should ideally show an error message indicating that the email does not exist in the system. This issue raises concerns regarding the security and reliability of the password reset functionality, potentially allowing unauthorized access attempts by verifying the existence of email addresses.

I am using this api
curl --request POST
–url ‘**/dbconnections/change_password’
–header ‘content-type: application/json’
–data ‘{“client_id”: “*******”,“email”: “some email”,“connection”: “Username-Password-Authentication”}’

I believe this is intentional. The point is to not leak information re: what email addresses are registered and which are not. I’m not convinced it provides a meaningful security benefit—you can just use the registration page to fish for registered email addresses—but the current behaviour is intentional.

but even on the correct emails, I can’t get the reset email.