At the top level every collection shows blank items for an Author if they did not create the item. This is ideal and works great. However if you associate one private collection to another private collection and an Author creates a new item. The pull down should not show the admins list of previously created items. It should be blank unitl they add their own items.
Security vulnerability where authors have access to protected data created by admin. This could be passwords emails or any other item created for the admin's collection.
See images below for more context
Permissions set
Good at top level no items seen
Drop down in Author login can see Admin data
{ "severity": "LOW", "github_reviewed_at": "2024-06-12T19:38:01Z", "nvd_published_at": "2024-06-12T15:15:50Z", "cwe_ids": [ "CWE-639" ], "github_reviewed": true }