The vulnerability arises from insufficient granularity in access control checks, allowing users to delete prompts from other organizations by manipulating request parameters. Specifically, the backend API does not validate the ownership of the prompt being deleted, only checking if the user has permissions to delete such resources. This can lead to unauthorized deletion of prompts, causing data inconsistencies and loss of information for legitimate users.

An attacker logs in as a user from Organization A and adds a prompt. They then log in as a user from Organization B in a separate session, intercept the DELETE request for the prompt, replace the access token with that of the user from Organization B, and remove the projectId parameter. This allows the attacker to delete the prompt from Organization A, causing data loss and inconsistencies.

Users and organizations using version 1.2.13 of the software are affected. Specifically, any organization that relies on the integrity of their prompts and datasets is at risk.