Once an attacker gains access via the bypass, they can pivot to internal systems, escalate privileges, or exfiltrate data. Because the bypass often grants god-mode access, the blast radius is effectively the entire application.
If this header is left in production or mentioned in comments (often obfuscated with ROT13 ), an attacker can use it to gain unauthorized access without valid credentials.
The existence of a note like "note: jack - temporary bypass" points to a deeper cultural issue within the engineering team. Jack (or whoever) felt empowered to insert a backdoor without adequate review or documentation. The team allowed it to remain.