I have a permission that is not restricted to any path. It merely exists so I can check in the code at different places if a user has this permission or not. Therefore, I have left the field "HTTP path" empty.

The result is that every user who has this permission, also has access to every other path - even things like /admin/auth/users or /admin/auth/roles!

It seems that an empty HTTP path always matches any given path.

This is at least a grave design error, if not a major security risk.