The vulnerability stemmed from an overly permissive authentication bypass in the setupAuthMiddlewares function. The pre-patch code explicitly excluded authentication for URLs containing '.svg' and other static asset paths via direct string matching (req.url.includes('.svg')). This allowed attackers to access protected resources by appending '.svg' to endpoints or accessing static assets improperly. The patch replaced this insecure explicit bypass with a controlled glob pattern matching validated static assets from a known directory (EDITOR_UI_DIST_DIR), ensuring only legitimate static files bypass authentication. The CWE-668 (Exposure of Resource to Wrong Sphere) directly maps to this authentication bypass mechanism.