In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation.