If the user is a staff member (admin or moderator): for security, Discourse requires verification from both the old and new email addresses. If the user cannot access their old email, the confirmation flow breaks and causes permission issues such as the one you described.
If the user is not a staff member: as an admin, you should be able to change their email directly from the user’s preference page, and only the new address should be sent a confirmation.
Try below:
Temporarily remove admin and moderator privileges from their account.
Change their email using the same preference page method as above.
After the email address change is fully verified and functional, restore their staff privileges.