Description:

When a user that only has the role "Guest" assigned changes its email address and verifies his new address by clicking the link the role "User" is automatically assigned to him. I believe this is a major security issue as guest users can upgrade their privileges by themself.

In case there is a setting in the adminstration area that determines this behaviour I wasn't able to find it.

Steps to reproduce:

1. Login as a user having only the role "guest"
2. Go to the user profile and change the email address
3. In the verification email click the verification link
4. The user now has the role "user" assigned

Server Setup Information:

• Version of Rocket.Chat Server: 0.74.3
• Operating System: Linux
• Deployment Method: Docker