This is a valid bug in Glance. It's not very insecure but, if combined with certain features of v2 like deactivation of an image (that's only allowed by admin by default), this change may result into bad image state and potentially give attackers the access to unauthorized image data.
Also, this has a per-condition that the v1 endpoint for Glance needs to be exposed. Not all deployments allow this and is not a standard, recommended practice.
This is a valid bug in Glance. It's not very insecure but, if combined with certain features of v2 like deactivation of an image (that's only allowed by admin by default), this change may result into bad image state and potentially give attackers the access to unauthorized image data.
Also, this has a per-condition that the v1 endpoint for Glance needs to be exposed. Not all deployments allow this and is not a standard, recommended practice.