Consequences can vary:
- attacker can monitor victim's actions
- attacker can interact with the victim without him realizing that a session swap just occured
- some low severity bugs can become exploitable (e.g. an XSS in configuration page, that is visible only to the account holder)
- or just google up the links, maybe you'll find some unexpired password reset links etc. that actually log you into the victim's account
To mitigate this issue don't log in users where that's not required. If it's a password reset link, only reset password, if it's an e-mail confirmation link, only confirm e-mail without loging in the user. And make sure your other login forms are CSRF protected.