rdiffweb is vulnerable to improper access control. The library allows the same SSH key to be used by multiple users because it identifies a duplicate SSH key via SSH key name which is only a title to identify the key and not the actual SSH key resulting in broken access control.