At Snyk we are currently investigating the validity of these kinds of issues as a CVE. I would advise not to issue those at the moment. Speaking personally it doesn’t seems like a vulnerability because malicious actor has to have write access to configuration to exploit it.