Is This Really a Bug?

The sign up and forgot password was available at the front page. But then we run into like a serious problem. The response dumps back a cloud URL, right? I know for sure that it downloaded my response and stuck in an SSRF bucket. So this would be a full read-only attack on our server. And so when you send a request to an image somewhere else, it kicks off another section of the application whereyou can't figure out what's going on. It took us eight hours just looking for this endpoint but eventually found it.