So by complete luck I found a huge security bug in lemmy as far as I can understand.

How can I test it with the team and disclose it with them?

Edit: I thought it is weird that anyone can access lemmy.ml/setup but upon further investigation I found that no one can use it in anything other than the admins and that users can only signup a normal account from this page rather than admin account.

Which means that this is a feature not a bug.

overall I think admins should hide this page to future proof it from bugs.