Octoprint does not prevent unauthenticated password changes. The vulnerability is due to the API not requiring the previous user password during the reset. An attacker with access to the user cookie can reset the password without knowledge of the current password.
github.com/octoprint/octoprint/commit/1453076ee3e47fcab2dc73664ec2d61d3ef7fc4f
github.com/octoprint/octoprint/commit/1453076ee3e47fcab2dc73664ec2d61d3ef7fc4f#diff-dc31d985e0a9b21d4aac0690f739ac664c1c8619b22fc7591ff4663c89993758
huntr.dev/bounties/da6745e4-7bcc-4e9a-9e96-0709ec9f2477
huntr.dev/bounties/da6745e4-7bcc-4e9a-9e96-0709ec9f2477/