This is potentially security vulnerability therefore it is BLOCKER.
Security subsystem contains attributes with capabilities which don't set access-constraint.
All of them have Elytron compatibility capability and I expect there some access constraint too.
How to reproduce:
There are some places where missing access constraints.
elytron-key-store with org.wildfly.security.key-store capability.
elytron-realm with org.wildfly.security.security-realm capability.
elytron-trust-manager with org.wildfly.security.trust-managers capability.
elytron-key-manager with org.wildfly.security.key-managers capability.
elytron-trust-store with org.wildfly.security.key-store capability.