The vulnerability stemmed from missing access control checks in Data Container (DCA) permission validation functions. The commit diff shows critical additions of ID-in-root-array checks for 'select' and 'paste' actions across multiple DCA files (tl_calendar_events, tl_news, etc.), which directly correlate with the described vulnerability vectors. The DC_Table.php changes fix root node handling that previously allowed unauthorized parent view access. The tl_page.php modifications address the pagemounts issue where empty user mounts led to unrestricted access. These functions were clearly modified to add missing access controls in the patch, confirming their vulnerability.