The REST endpoint to retrieve cache configurations doesn't check for ADMIN permissions: GET /rest/v2/caches/{cacheName}?action=config GET /rest/v2/caches The cache configuration may contain information about filesystem paths and allowed security roles which should not be viewable by non-administrators. The first method should return a 403 in case the user doesn't have appropriate permissions. The second method should omit the full cache configuration from the response (it returns other, non-security sensitive information). The methods require authentication, but once authenticated, any user can invoke them successfully.
This issue has been addressed in the following products: Red Hat Data Grid 8.4.4 Via RHSA-2023:5396 https://access.redhat.com/errata/RHSA-2023:5396