user getting label automatically

if a user has a mvp or any label and that user created a new user without logout then the newly created user will have those labels. is this a feature or my mistake i did't write any code to give labels

TL;DR

User is experiencing an issue where labels are automatically assigned to newly created users, even if no code was written to assign them. This is confirmed to be a bug by the support team. A workaround suggested is to prevent creating accounts through the create account API and expose it via a function instead. The user is also asking for the best way to give a group of users permission, and mentions using labels for this purpose. This bug allows users to give others their permissions, which may be considered a vulnerability. Solution: The support team suggests using a workaround to prevent creating accounts via the create account API and exposing it through a function.

This sounds like a bug. Would you please create a GitHub issue?

bug report : https://github.com/appwrite/appwrite/issues/7323

Could this be to do with the (intended) behaviour of when an anonymous session is created, then a user is created, the created user inherits the anonymous session?

To convert an anonymous session, you're supposed to call the update email and update password endpoints

is this a vulnerability ?

Not really

well i used labels to give permission to group of users to execute a function which is cannot be used by all. now by using this bug a user can give other user its permission