Thats not a real problem. You need a valid acp session id which is impossible to get unless you compromise the system of an administrator (it's not stored in a cookie). Additionally it's in the admin cp, so it's not exploitable by bad people unless you give them acp access.