The vulnerability stems from missing CSRF protection on client enablement routes. In Drupal architecture, route handlers are controller methods. The advisory explicitly identifies client enablement routes as vulnerable, indicating the associated controller method OAuth2ClientController::enableClient would process these requests without CSRF checks. This function would appear in stack traces when handling exploit attempts targeting client configuration changes.