The vulnerability stems from improper input validation in the JSON component's postprocess() function, where user-controlled strings are parsed without adequate sanitization. This flaw enables attackers to inject a dictionary object with a path key, leading to unauthorized file access. The application's handling of such objects in both postprocess_data() and preprocess_data() functions exacerbates the issue, as it inadvertently facilitates the movement of specified files to a temporary directory, from which they can be retrieved.

An attacker crafts a JSON payload containing a dictionary with a path key pointing to a sensitive file. This payload is submitted to the vulnerable application, which then processes and moves the specified file to a temporary directory. The attacker subsequently accesses the moved file via a specially crafted request to the application's endpoint, achieving unauthorized read access to the file's contents.

Any user or system utilizing the affected versions of the web application for processing JSON input is at risk. This includes both end-users interacting with the application's interface and backend systems that rely on the application for JSON data handling.