The vulnerability stems from the pre-patch code in AbstractProject.java where BuildTrigger's getChildProjects() was called without SYSTEM impersonation. This allowed attackers to manipulate job configurations to reference downstream projects they couldn't see (due to ACLs), as the project resolution used the attacker's permissions. The subsequent BUILD permission check was ineffective because the visibility check had already failed. The fix (adding SYSTEM impersonation during project resolution) confirms this was the root cause, as it ensures downstream project existence is verified with full privileges before checking user-specific BUILD permissions.