Nathan, this issue is specifically tied to this topic: https://www.phpbb.com/community/viewtopic.php?f=44&t=2169160 and is present in both olympus and develop.
EDIT: To clarify, the "vulnerability" is very weak. Basically, it allows an attacker to, with a very low likelihood, use 1 or 0 as the activation key for resetting a user's password because some strings can be evaluated as numbers using loose comparison (==). This ultimately can lock a user out of their account by changing their password to a temporary one, but in the end, the user will still have the temporary password in their email, which the attacker cannot access. As such, this does not result in the attacker being able to gain the user's account, unless the attacker is able to access the user's email, in which case he would not need to use this "vulnerability" anyway, as both the activation key and the temporary password are sent in the email. It is more of an annoyance than a vulnerability. However, it is something we should fix.