CDS Invenio 0.92.1 and earlier allows remote authenticated users to delete email notification alerts of arbitrary users via a modified internal UID.