Activation emails sent to Admin usable by Anyone

When a board is set for activation by Admin, emails containing activation links are sent to administrators when a new account is created or when existing users change certain details in their profiles. As it happens, these activation links are usable by anyone - not just the board administrators. This has been true in every 3.0.x version so far. However, in phpBB2, activation links sent to Admins didn't work unless actually used by an administrator who was logged in. This really ought to work the way it did in phpBB2. The current behavior in phpBB3 is a vulnerability because it enables unauthorized persons to activate accounts, even though the board is configured for admin activation.

While I've known of this problem for a long time, it didn't seem terribly serious at first. I'm submitting this bug report after seeing the Support request at http://www.phpbb.com/community/viewtopic.php?f=46&t=1437125&start=345#p9711395 where a board administrator reported that even though his board is configured for admin activation, some spammers were somehow bypassing the admin activation process, and were activating their own accounts. I speculated in my reply at http://www.phpbb.com/community/viewtopic.php?f=46&t=1437125&start=360#p9711675 that this administrator's email account may have been compromised, enabling the spammer to intercept activation emails. But I also pointed out that this works only because phpBB3 allows all activation links to work when clicked by anyone. If the activation links worked as in phpBB2, they wouldn't work unless clicked by someone who is actually logged in as an administrator.