The vuln is that API calls with no auth headers run as root.