I can see that username/email address is used for resetting password. But when I added an exist email address, it’s still successful. I have downloaded the server from a customized version. Is it because of the customized version, or the original version?
IMHO there is no “unique” validation for user email addresses. I can assign same email for two different users on official docker 25.0.1.
This could result in security flaw if used for password reset but could be considered as feature in case user want to share specific email for some reason (e.g. notifications). And by default users are in control of their email address - nobody prevents them from changing it to a valid unique personal address.