A SSRF vulnerability was discovered which allowed the attacker to access the application via the IP address. This bypass revealed that the application was accessible without any WAF protection. Further details and technical analysis can be found in the blog post.
Check out the original tweet here: https://twitter.com/k4x0r_/status/1813561402512273618