It was reported that it's possible to get access as a different user when using pcsd (the pcs web UI) due to using a variable which is global to the server instead of the connection to validate usernames. Scenario is following: User A sends a command to pcsd, after the connection is made and authentication happens, (but before any security checks are done), User B connects and authenticates. User A could potentially get access based on User B's permissions. To take advantage of this the user must have access to login to pcsd.
Acknowledgement: This issue was discovered by Tomáš Jelínek of Red Hat.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2015:1700 https://rhn.redhat.com/errata/RHSA-2015-1700.html