The "exists" methods, which allow to check whether an object matching some criteria, exists does not check permissions. For example, we can find out, if host "Zabbix server" exists, even if we don't have permissions to it. This vulnerability is not that critical, since there are other ways we can find this out: we can try to create a host with the same name, and see if an error is triggered. But in the case with "exists" methods, we have some additional uses: for example, check if an item with a specific key exists on a host we have no permissions to.