The vulnerability stems from the absence of current password verification in the password change functionality of the admin panel. While the advisory clearly describes the vulnerable behavior (password change without current password check), the provided materials lack specific code references, commit diffs, or patch details that would allow precise identification of the vulnerable functions. The GitHub issue (#9657) discusses the problem at a feature level but doesn't reference implementation details. Without access to Strapi's source code for versions ≤3.6.0 or specific file/function references from the advisory materials, we cannot confidently map this vulnerability to specific functions with high confidence. The vulnerability likely exists in the user profile update controller handling password changes, but insufficient implementation details are provided to confirm this.