obs-server prior to 1.7.7 allows logins by 'unconfirmed' accounts due to a bug in the REST api implementation.
obs-server obs-server
suse linux enterprise server 11