CVE-2026-7500: Security Patch Closes Improper Access Control Gap on Account API Endpoints

A critical access control vulnerability has been patched in the Account API framework, addressing a scenario where protected endpoints remained reachable even after explicitly disabling the ACCOUNT_API feature flag. The flaw, catalogued as CVE-2026-7500, created a pathway for unauthorized access to account data through versioned API routes that bypassed the central feature gate.

The fix implements a centralized enforcement mechanism by integrating AccountRestService.checkAccountApiEnabled() directly into AccountLoader, ensuring every request to account endpoints undergoes proper feature validation before processing. The checkAccountApiEnabled() method was refactored from private to public scope to enable cross-component reuse and consistent enforcement. A dedicated test case was introduced to validate that versioned API routes respect the feature disable state, closing the gap that allowed the original breach.

Security researchers warn that improper access control flaws remain among the most prevalent vulnerability classes in modern API architectures, particularly in systems with feature-flagged functionality. The exposure risked account information disclosure in any deployment where administrators believed the feature had been disabled. The commit (8e808ca1) has been backported and closes issue #48709. Organizations running affected versions should verify their deployments reflect the patched state, as the vulnerability may have been exploitable in production environments without immediate indication of misuse.