So by complete luck I found a huge security bug in lemmy as far as I can understand.
How can I test it with the team and disclose it with them?
Edit: I thought it is weird that anyone can access lemmy.ml/setup but upon further investigation I found that no one can use it in anything other than the admins and that users can only signup a normal account from this page rather than admin account.
Which means that this is a feature not a bug.
overall I think admins should hide this page to future proof it from bugs.
Thank you i opened an issue.
https://github.com/LemmyNet/lemmy-ui/issues/897