Ths is a quick warning to those of you playing with v4beta.
As of v4beta3, there is no authentication for Mailhog (example.com/ee-admin/mailhog/), so all admin email notifications, including password reset emails, are publicly accessible from the above Mailhog URL without authentication.
That means it’s a walk in the park for anyone to reset your admin password.
I know it’s a beta and there’s a warning this must not be used in production and all that. But really, even for a beta, I think this is unacceptable… as this leaves every test installation open for admin takeover.