> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Cases where improper custom rule code may create vulnerabilities in the authentication flow.

# Auth0 Security Bulletin for Assigning Scopes Based on Email Address

## Overview

If you:

* Use rules to assign scopes to users based on their email addresses **and**
* Your application uses multiple connections

There is a possibility that your scopes could be compromised.

## How This Works

Auth0 requires that email addresses are unique on a per-connection basis. However, there are no limitations on a per-application basis.

Therefore, it is possible for user A to sign up for the application using one connection and user B to sign up for the application with the same email address using a different connection.

If your rules assign scopes to users based on email address, the second user has now been given the same scopes as the first user, despite being a different individual.

## How do I fix this?

The most straightforward mitigation is to require users to verify their email address after signing up and before being allowed to log in.