This was a fun authorization check bypass because when checking if higher privileges were needed the flag value was checked for equality with the two privileged actions. Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set. So a value with a unused bit set could have the privileged action bit set, without being exactly equal to the privileged act.

This also allowed an attacker to hit a use-after-free situation, utimately caused by two different locks being used to control access to the same object.