Any user could get a token that has been requested by another user/agent
The vulnerability is fixed in version 8.0.37.
None