Plugins for the authority control mechanisms (Choice plugins) delivers data without any prior authorization. This is in many cases of authority data not a problem, but can be used to systematically crawl full directories, if authority control is based on LDAP or similar information. It also is one possible point to inject queries into third-party data sources. At least DSpace should check, if the requesting user is registered to DSpace and allowed to submit to at least one collection.
An example URL of such unauthorized access is (works only for configured authority control for field dc.contributor.author: https://some-dspace-url.here/choices/dc_contributor_author?query=test&format=select&collection=1&start=0&limit=0