obs-server before 1.7.7 allows logins by 'unconfirmed' accounts due to a bug in the REST api implementation.