Hi I found a way to takeover userβs account
1.Victim A is a member of a organization orgA
2.Attacker create a new account with orgB
3.Invite victimA to orgB
4.Since an admin can access invitation link attacker copy this link and set new password using this link
5.Now logging with victimAβs email with newly created password
POC Link :-