The vulnerability stems from missing permission checks in form validation handlers. The commit c671d68 explicitly adds Jenkins.ADMINISTER checks to these methods, indicating they previously lacked authorization controls. The Jelly file changes (adding checkMethod='post') address CSRF, but the core permission issue resides in the Java methods handling sensitive operations. The patched functions directly correlate to the described attack vector of unauthorized credential usage via form validation endpoints.