This is not a vulnerability. "User may access a file publicly posted without giving that server the *user's* password hash" is not worse than the alternative. It's better than the alternative

By this logic visiting any website or viewing email are also bugs and should be blocked