Login email verification bypass via `/oauth/token`. GitLab disclosed a bug submitted by cybxis: https://hackerone.com/reports/2676025 [Source]