The default policy in Keystone v3 lets a user change their own password without first confirming the current password. See "identity:update_user": [["rule:admin_or_owner"]] in /etc/keystone/policy.json. This only affects v3 as Keystone v2.0 offers a separate update_own_password API which requires confirming the old password, before setting a new one.
The suggested fix is to change /etc/keystone/policy.json to read "identity:update_user": [["rule:admin_required"]] instead, so that only admin users have the ability to change the user information. Note that this means a regular user won't have any way to change their own password anymore.