When I saw this post yesterday, I immediately deleted it. The post was a report for a potential security risk and I wanted to buy us some time to prepare a fix before discussing it publicly.
I then send @Conradowatz an email asking for details and did some quick checks. Those checks lead to the conclusion we had a bad nginx config which would allow downloading mediafiles, including audio files. In order to do this, you would need to know the internal path of the audio file, which usually isn't exposed. So exploiting this vulnerability would have been hard, while the potential damage can be quite high.
The issue is tracked here: https://dev.funkwhale.audio/funkwhale/funkwhale/-/issues/2101
I quickly involved @JuniorJPDJ for his nginx knowledge who quite quickly prepared a patch. We released this yesterday in the evening (CET) with Funkwhale 1.2.10. Please update your instances as fast as possible.