Title: Origin validation bypass in password reset and email verification link generation when APPSMITH_BASE_URL is unset
Repo: appsmithorg/appsmith
Branch: release
Commit: e77639eca4974469c1e676904851ffdaedd38111

Core issue:
- public email auth endpoints accept request Origin
- controller stores Origin as baseUrl
- service validates only when APPSMITH_BASE_URL is configured
- unset APPSMITH_BASE_URL causes caller-supplied origin to be accepted
- token-bearing links are generated from that base URL

Security outcome:
- attacker-controlled host can become the clickable host in reset / verification emails
- victim interaction can plausibly expose token material
- account takeover is a realistic outcome on affected deployments

Recommended severity:
- High
