The vulnerability stemmed from two key pre-patch conditions: 1) The route for group invitations lacked a proper authorization check (handled by RouteSubscriber::alterRoutes), and 2) The view configuration permitted access to any authenticated user without filtering by current user ID. The patches add both programmatic access checks in the route subscriber and stricter view configuration constraints. During exploitation, the unpatched RouteSubscriber would allow unauthorized route access, and the view would execute its display logic without proper user filtering.