Please do not open public issues or pull requests for security vulnerabilities.

Preferred: report privately using GitHub Security Advisories for this repository.

If private reporting is not available for you, contact the maintainers via the Drupal.org project page and clearly indicate that the report is security-sensitive.

• A clear description of the vulnerability and impact
• Steps to reproduce (or a proof of concept)
• Affected versions (Drupal core version, module version, and relevant config)
• Any suggested mitigation or fix (if you have one)

/jsonapi/layout/resolve is a public endpoint (_access: TRUE), the same pattern Drupal's JSON:API core uses. Authorization is not skipped — it is enforced per entity in code: the resolver only returns an entity (and its layout) when $entity->access('view') passes for the current user, so anonymous callers never receive unpublished or access-restricted content. This is covered by LayoutResolveTest::testUnpublishedLayoutNotResolvedForAnonymous.