Possible session token sharing when deploying Plausible?

[LuchoTurtle]

Context

We've deployed Plausible CE in https://analytics.dwyl.com.
The first account that registers becomes the admin and no other accounts are allowed to register unless invited by the admin.
While @nelsonic was creating/registering his account, I had the normal Register page open on my Chrome browser.

What happened

After they created the account, I was expecting Plausible to show me this page (it's what happens now when I access it on an anonymous window).

However, when I refreshed the page, it seemed that I had access to the admin account, without ever having to login O.o. This happened without me having to input any credentials (in fact, I did not know the e-mail or password). I simply refreshed the page and I was in the admin account!

This is uncanny.

Is there a session token leak with whoever has logged in before/has access to account registration when the very first account is registered in a self-hosted Plausible instance?

I'm just creating this issue for visibility.