The core issue is an HTTP/2 Logic Bypass. Despite having security restrictions in place that should trigger a 403 or 401, the endpoint consistently returns an HTTP/2 200 OK. What's interesting is the response from the VRP: Initially Closed: Dismissed as intended behavior. Re-opened & Triaged: After I provided a more detailed proof-of-concept, it was moved to the 'Triaged' state, which usually means they acknowledge a potential issue. Closed Again: Finally closed without explaining why a restricted endpoint is leaking a 200 OK status. As a developer, this "Close-Triage-Close" loop feels like a way to avoid acknowledging a flaw in the request-handling logic. I'd love to hear if anyone else has experienced similar behavior with HTTP/2 multiplexing or header injection in this specific VRP.