Low authorization level at server side API operation e2e.updateGroupKey, let an attacker break the E2E architecture.