Thanks a lot for reaching out and sharing details about your discovery. Indeed, there was a critical security vulnerability.
It has been fixed in v10.2.1, see https://www.sharetribe.com/community/t/sharetribe-go-version-10-2-1-is-now-available-important-security-update/3371 and https://github.com/sharetribe/sharetribe/releases/tag/v10.2.1.
Anyone can learn more about the vulnerability at https://github.com/sharetribe/sharetribe/security/advisories/GHSA-hjjc-p9hr-424c
Thanks Wang Sheng of State Grid Sichuan Electric Power Research Institute for reporting this issue.