When a report is published, the generated URL is public by default, it means the report data could be exposed to anyone including people who are not users. Reports are available until they are unpublished.
Share reports using Groups, Users and Roles. To make a report available only to logged in users, set its Sharing setting to Everyone, but do not publish it.
Time to fix
This rule is linked to Common Weakness Enumeration CWE-284 Improper Access Control.