In this case that‘s actually a security vulnerability, I‘ve also seen a case where it built an api with auth but added a route where anyone could just PUT a new API key into it. Sometimes its own code review catches these, sometimes it does not.