An attacker can freely brute force username and password and can takeover any account. An attacker could easily guess user passwords and gain access to user and administrative accounts.
https://huntr.dev/bounties/6369f355-e6ef-4469-af75-0f6ff00cde3d
https://github.com/octoprint/octoprint/commit/82c892ba40b3741d1b7711d949e56af64f5bc2de