"Uploaded documents for API’s documentation on publisher part are available for unauthenticated user."
WSO2 API Manager 2.6.0
The uploaded documents for an API can be accessible without authentication only when the API visibility is set to public. If the visibility is set to some user role, the document will not be available without authentication and authorization. Furthermore, If we change the API visibility to restricted roles after adding the document, those roles will get applied to the existing uploaded documents and they will not be available for an unauthenticated user. This is the expected behavior of WSO2 API Manager. Therefore, if the API visibility is correctly set using user roles, this is not a vulnerability.