A bug in our validation logic made it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server.
We have resolved this in the latest version of NodeBB, and the fix has already been rolled out as a patch on all of our hosted customers.
For more information on the vulnerability as well as instructions on how to resolve this issue, please have a look here: https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7
Click here to see the full blog post
@CaioDA Just disable them from the admin control panel. Options > Disable then Save.
Is it really that simple? Now I'm embarrassed... But, going along with what @planner said and @psychobunny pointed out, this is a very developer centered forum software with an initially steep learning curve. It's not quite plug and play. I recommend something like Foundation's Joyride to introduce new users to the system.
Update: But currently, there is no way to remove them completely (unless a forum restart is required or override them). That's a feature I'd love to see.