Grocy is not an enterprise application and neither one you (should) host publicly (means without authentication) on the internet.
So unless something really bad can be abused unauthenticated, it's considered practically irrelevant for the target use case of Grocy and therefore not even worth reporting that.
If you really think you've found something critical and valid for the target use case of Grocy and you feel the need to contact me privately on that, please see berrnd.de for any contact information.