The issue here is someone doesn’t ever want users to change their emails, and they were allowed to do so following approval if they hadn’t activated their original email. It doesn’t seem like a security hole to me since the user still had the authenticate the email, but I understand in some rare situations forum owners don’t want users to change their emails.
The solution is what’s suggested earlier: don’t allow staff to approve a user until they’ve confirmed their email address.
https://github.com/discourse/discourse/commit/db929e58fc02923ddc2d09add5103aaba73c027f