To understand you first need to think why we have 2-FA. It’s because to protect the user in case their password or account is somehow leaked. This scenario also applies if the attacker is able to get the password for user’s email account. Now the user will think that his account is protected completely because of 2-FA, but in reality the attacker will be able to bypass this with a design logic flaw of the application. The attacker could bypass the 2-FA security by resetting the victims password which will eventually logged the attacker into the victim’s account. Applications mostly asks for 2-FA code when you reset the password but if it didn’t then it’s a logic flaw because the developer didn’t set up the application properly.