When using the local_batch client from salt-common-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed. The LocalClient.cmd_batch method client does not accept external_auth credentials and so access to it from salt-common-api has been removed for now. This vulnerability allows code execution for already-authenticated users and is only in effect when running salt-common-api as the root user.