Yeh its fixed in latest
NodeBB v1.14.3: A Critical Security Update
A bug in our validation logic made it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server.
We have resolved this in the latest version of NodeBB, and the fix has already been rolled out as a patch on all of our hosted customers.
For more information on the vulnerability as well as instructions on how to resolve this issue, please have a look here: https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7
Click here to see the full blog post