The new reset actions doesn't require the user to authenticate prior to performing them. Is it not a bit dangerous that the user can change the email address without authentication?

For reset password we obviously need to be able to do it without requiring authentication, but shouldn't "bypassing" authentication be limited as much as possible?