In this case the “vulnerability” if you can even call it that is so blindingly obvious that anyone who knows what a pen test is could’ve found it in a second. The only way this gets released in an otherwise-functional organization is going yolo mode with an LLM (or being willfully ignorant, or both).