The vulnerability stems from missing access control checks for reserved user names during account creation in Jenkins' internal authentication system. The HudsonPrivateSecurityRealm class handles user management for the 'Jenkins own user database' authentication method. The createAccount() function was identified as vulnerable because it lacked validation to prevent creation of accounts with reserved names that have special significance in the authorization system. This matches the CWE-287 (Improper Authentication) classification and aligns with the advisory's description of attackers creating reserved names to gain privileges.