During the SetupWizard, once connected (with the admin password from file), if you browse to <url>/jenkins/configureSecurity/ you can access the Configure Global Security and disable the security.

As the steps there are meant to be useful for the admin but can be skipped it's not a vulnerability but more a bug in the implementation of the Wizard filter.