github.com/google/exposure-notifications-verification-server is vulnerable to privilege escalation. The vulnerability exists due to insufficient granularity of access control which allows an attacker, who has permission to the access code and is able to guess the UUID, to have access to expired code.