The flaw is rather straightforward and stems from the fact that one API endpoint called /api/v1/validate/code had missing authentication checks and passed code to the Python exec function.