Energy Department patched flaws enabling email impersonation in critical minerals system

A security researcher discovered an identity verification flaw in the U.S. Department of Energy Office of Critical Minerals portal that allowed users to register and operate accounts appearing to belong to Energy Department email addresses via subdomain enumeration; the agency has remediated the issue and publicly credited the researcher, and there is no evidence the vulnerability was exploited. The flaw could have enabled adversaries to impersonate officials, request sensitive information, or insert themselves into program communications, posing national-security-relevant risks to critical-minerals initiatives.