Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

login/ui

Describe the bug

When a user has the required action UPDATE_EMAIL and submits a new email address, the new one is added to the user as a "Email pending verification".

<img width="701" height="84" alt="Image" src="https://github.com/user-attachments/assets/cf022cda-6b53-40ff-89bb-cbf956c1c4b3" />

At the same time, Email verified is being set to false. If the user is still using his account in a client and has to refresh his tokens, the refresh fails, he get's redirected to Keycloak and gets an email to his old address for verifying it.

Version

26.4.2

Regression

[ ] The issue is a regression

Expected behavior

While a new email is in the process of being verified, the user can still operate. He can access clients with login over Keycloak and can seamlessly refresh his access token.

Actual behavior

The user can not login successfully and has to re-verify his old email address.

How to Reproduce?

1. Set up a Keycloak instance with email verification on and enable the required action UPDATE_EMAIL
2. Create a user and verify his email
3. Add the required action UPDATE_EMAIL to the user
4. Check the mails of the user and click on the update email link
5. Submit a new email address
6. Try to login to the account console with the user
7. Notice that you have to verify your old email address

Anything else?

No response