cPanel prior to 71.9980.37 allows malicious users to make API calls that bypass the backup feature restriction (SEC-429).
cpanel cpanel