It looks like anyone can change anyone else's password by using the forgot username function.
A first annoyance is that you can easily lock the default root account like this :
Sign in > Forgot Username / Password > Forgot My Password
Now try to login with root / gtn >> you can't.
What Happened ?
Gatein has generated a new password for root and sent it to the default email address which is.... root@localhost .
Using this function anyone would be able to change anyone else password.
The flow for password recovery should not regenerate a new password until the user has confirmed by clicking a generated URI in the email.