Tracked as CVE-2022-20658 (CVSS score of 9.6), the issue exists due to a lack of server-side validation of user permissions, which allows an attacker to submit a crafted HTTP request to exploit the bug.